A vulnerability was found in ImageMagick. Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate's command is used to handle https requests: "wget" -q -O "%o" "https:%M" where %M is the actual link from the input. It is possible to pass the value like `https://example.com"|ls "-la` and execute unexpected 'ls -la'. (wget or curl should be installed).
Mitigation: Details can be found under the resolve tab at https://access.redhat.com/security/vulnerabilities/2296071 Red Hat Enterprise Linux 6 and 7 ================================ As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, MSL, LABEL, TEXT, SHOW, WIN and PLT commands within image files, simply add the following lines: <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="LABEL" /> <policy domain="coder" rights="none" pattern="SHOW" /> <policy domain="coder" rights="none" pattern="WIN" /> <policy domain="coder" rights="none" pattern="PLT" /> <policy domain="path" rights="none" pattern="@*" /> within the policy map stanza: <policymap> ... </policymap> Red Hat Enterprise Linux 5 ========================== In the following folders: /usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ (64bit package) or /usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ (32bit package) Rename the following files: * mvg.so to mvg.so.bak * msl.so to msl.so.bak * label.so to label.so.bak
Created ImageMagick tracking bugs for this issue: Affects: fedora-all [bug 1332630]
Public via: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:0726 https://rhn.redhat.com/errata/RHSA-2016-0726.html