Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ImageMagick Security Issue
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Tue May 10, 2016 4:29 pm    Post subject: ImageMagick Security Issue Reply with quote

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

I don't see any updates in portage. Are there any plans to release the fixed versions (ImageMagick 7.0.1-2 and 6.9.4-0) to the stable tree?

The German heise.de reports http://www.heise.de/newsticker/meldung/Boese-Bilder-Akute-Angriffe-auf-Webseiten-ueber-ImageMagick-3200773.html that Websites are already under attack.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Tue May 10, 2016 7:01 pm    Post subject: Reply with quote

There's a bug filed; 7.0.1.2 is already in the tree but masked because it breaks compatibility.

In the meantime switching to media-gfx/graphicsmagick may be a better option.
Back to top
View user's profile Send private message
c00l.wave
Apprentice
Apprentice


Joined: 24 Aug 2003
Posts: 245

PostPosted: Wed May 18, 2016 9:47 am    Post subject: Reply with quote

I'm a bit uncomfortable with GraphicsMagick apparently having a similar issue as ImageMagick (others have been prevented before), which is currently being addressed on SCM. There is a 9999 ebuild on layman overlay "stuff" according to gpo.zugaina.org - did anyone try that yet?

Could the severity of these issues make it reasonable to include a 9999 ebuild into official portage or at least a few patches or a "pre-release" ebuild? I've made sure that my servers don't take images from untrusted sources but I still have a bad feeling about this...

Switching back to ImageMagick is not a real option - their multitude of quirks and issues and incompatible changes compared to GraphicsMagick made me switch from IM to GM in the first place (it was not for security reasons).

Quoting Bob Friesenhahn from their help mailing list regarding "ImageTragick":

Quote:
GraphicsMagick does not suffer from the specific exploits described as
"ImageTragick" because the related code was either re-written to avoid
security issues or the ImageMagick implementation otherwise diverged.

However, there is one serious issue known to me now and I plan to
perform an investigation to make sure that any issues are properly
identified so that they can be addressed in an expedient yet
reasonable way.

Once the investigation has been performed, I plan to post to the
GraphicsMagick announcements list regarding any local
fixes/work-arounds which can be made without needing to upgrade
GraphicsMagick or which could be applied to an existing release of
GraphicsMagick to make it safer.

GraphicsMagick makes only two or three releases per year and many
people do not have a reasonable opportunity to use the latest release
because they use the release that their OS distribution provides. For
example, stable Ubuntu 14.04 is providing 1.3.18, which was released
in March of 2013. A very large number of security fixes have been
made since that release.


I think it's about this commit.

BTW, it may be a good idea to stabilize 1.3.23, just in case there have been related changes. Gentoo currently only lists 1.3.18 as stable.
_________________
nohup nice -n -20 cp /dev/urandom /dev/null &
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Wed May 18, 2016 1:07 pm    Post subject: Reply with quote

Ant P. wrote:
There's a bug filed; 7.0.1.2 is already in the tree but masked because it breaks compatibility.


Why not backport the fix?
Back to top
View user's profile Send private message
rini17
n00b
n00b


Joined: 04 Jan 2006
Posts: 25
Location: Bratislava, Slovakia

PostPosted: Sun May 29, 2016 5:39 pm    Post subject: Reply with quote

Ant P. wrote:
In the meantime switching to media-gfx/graphicsmagick may be a better option.


How do I do it? Tried -imagemagick graphicsmagick useflags, but some packages (lyx,octave,calibre, indirectly inkscape) still depend on IM and it causes a conflict.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sun May 29, 2016 7:45 pm    Post subject: Reply with quote

rini17 wrote:
Ant P. wrote:
In the meantime switching to media-gfx/graphicsmagick may be a better option.

How do I do it? Tried -imagemagick graphicsmagick useflags, but some packages (lyx,octave,calibre, indirectly inkscape) still depend on IM and it causes a conflict.

rini17 ... you want to set the 'imagemagick' useflag on media-gfx/graphicsmagick, I have the following:

/etc/portage/package.use:
media-gfx/graphicsmagick fontconfig imagemagick jpeg jpeg2k lcms lzma png postscript X

... and the packages dependent media-gfx/graphicsmagick[imagemagick] function exactly as they would with media-gfx/imagemagick.

Note, obviously media-gfx/imagemagick would need to be removed prior to installing media-gfx/graphicsmagick[imagemagick] (as they conflict).

best ... khay
Back to top
View user's profile Send private message
c00l.wave
Apprentice
Apprentice


Joined: 24 Aug 2003
Posts: 245

PostPosted: Sun May 29, 2016 7:54 pm    Post subject: Reply with quote

AFAIK ImageMagick is now more secure than GraphicsMagick when it comes to those "ImageTragick"-related issues as the delegates/policy workarounds appear to have been implemented on portage but GM does not offer any such options. So, I'm not entirely sure what to do about GM.
_________________
nohup nice -n -20 cp /dev/urandom /dev/null &
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sun May 29, 2016 9:37 pm    Post subject: Reply with quote

c00l.wave wrote:
AFAIK ImageMagick is now more secure than GraphicsMagick when it comes to those "ImageTragick"-related issues as the delegates/policy workarounds appear to have been implemented on portage but GM does not offer any such options. So, I'm not entirely sure what to do about GM.

c00l.wave ... graphicsmagick is a different codebase (independent of imagemagick since 2002), I'm fairly certain that Ermishkin and Stewie, or indeed anyone, could test graphicsmagick for the same CVE's ... you're suggesting this hasn't happened and that the same issues are part of the graphicsmagick codebase, I suggest you provide evidence of this being the case.

best ... khay
Back to top
View user's profile Send private message
c00l.wave
Apprentice
Apprentice


Joined: 24 Aug 2003
Posts: 245

PostPosted: Sun May 29, 2016 9:46 pm    Post subject: Reply with quote

khayyam wrote:
I suggest you provide evidence of this being the case.

Maybe you missed my post above from 18 May. Gentoo hasn't stabilized the latest release although GM's main developer (at least I assume he is) clearly states that there have been a number of security-relevant patches since the pretty old 1.3.18 release that is stable on portage... Also see the commit I mentioned and tell me again it is not related to "ImageTragick" investigation.

Yes, GM has been forked a long time ago and yes, GM has indeed taken better pre-cautions to avoid what has just happened with IM. But that doesn't mean GM is completely bug-free and unaffected. And I don't see an easy way to disable the image formats or resource protocols in GM as, apparently, you can do in more recent IM versions (delegate & policy files). Or maybe I'm just blind - can you tell me where I can implement similar workarounds in GM as were proposed and implemented for IM? I couldn't find anything like that.

It may not be possible to run the IM exploits against GM but I doubt it's impossible to write an exploit against GM, especially the 1.3.18 release everyone on Gentoo is still installing unless using keywords. I'd be careful to call 1.3.18 secure if you read the changelog.
_________________
nohup nice -n -20 cp /dev/urandom /dev/null &
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Mon May 30, 2016 3:07 pm    Post subject: Reply with quote

c00l.wave wrote:
khayyam wrote:
I suggest you provide evidence of this being the case.

Maybe you missed my post above from 18 May. Gentoo hasn't stabilized the latest release although GM's main developer (at least I assume he is) clearly states that there have been a number of security-relevant patches since the pretty old 1.3.18 release that is stable on portage... Also see the commit I mentioned and tell me again it is not related to "ImageTragick" investigation.

c00l.wave ... yes, I did miss that post, and yes sanity checking image path is "tragick".

c00l.wave wrote:
It may not be possible to run the IM exploits against GM but I doubt it's impossible to write an exploit against GM, especially the 1.3.18 release everyone on Gentoo is still installing unless using keywords. I'd be careful to call 1.3.18 secure if you read the changelog.

OK, but the issue here is not with graphicsmagick but with distro's, gentoo specifically.

best ... khay
Back to top
View user's profile Send private message
pjeutr
n00b
n00b


Joined: 29 Aug 2006
Posts: 21

PostPosted: Mon May 30, 2016 8:01 pm    Post subject: GraphicsMagick and ImageMagick popen() shell vulnerability Reply with quote

There's another serious security issue with ImageMagick
http://permalink.gmane.org/gmane.comp.security.oss.general/19669

Doesn't seem to be related to previous one in this thread.
Solution seems simple but I don't know the impact of disabling popen.
Any expert opinion?
Back to top
View user's profile Send private message
c00l.wave
Apprentice
Apprentice


Joined: 24 Aug 2003
Posts: 245

PostPosted: Mon May 30, 2016 8:08 pm    Post subject: Reply with quote

In this case I'm actually fine with what the others said - wait for GM 1.3.24 to show up in portage (got released today) and replace IM. ;) I guess this will actually kick 1.3.18 out of portage (or at least hard-mask it) and instead stabilize 1.3.24.

For GM: https://bugs.gentoo.org/show_bug.cgi?id=584512
_________________
nohup nice -n -20 cp /dev/urandom /dev/null &
Back to top
View user's profile Send private message
pjeutr
n00b
n00b


Joined: 29 Aug 2006
Posts: 21

PostPosted: Mon May 30, 2016 9:16 pm    Post subject: Reply with quote

Ok, In the meantime I'll check if I want to replace IM for GM. I'm not savvy with the pro's and con's
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum