A vulnerability was found in Imagemagick where insufficient filtering for filenames passed to a delegate's command allows remote code execution during the conversion of several file formats.
Imagemagick allows the processing of files with external libraries. This feature is called "delegate". It is implemented as a system() call with a command string ('command') from the config file delegates.xml with actual values for different parameters (input/output/filename, etc.). Because the %M parameter is insufficiently filtered, it is possible to inject shell commands. One of the default delegate commands uses the following to handle HTTPS requests:
"wget" -q -O "%o" "https:%M"
where %M is the actual link from the input. If wget or curl are installed, it is possible to pass the value "https://example.com" |ls "-la" and unexpectedly execute 'ls -la'.
All Red Hat customers using ImageMagick are strongly recommended to apply mitigations to their systems pending released security Errata. Recommended mitigations are found under the Resolve tab.
Red Hat Product Security has rated this issue as having a security impact of Important.
The following Red Hat Product versions are impacted:
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat OpenShift Enterprise
ImpactAny customer using ImageMagick to process untrusted or third-party images is potentally impacted. Examples include auto-generated thumbnail code using ImageMagick or third party usage of ImageMagick to process images uploaded to your servers, which is often done using web applications that receive untrusted user input.
Red Hat Enterprise Linux 6 & 7
As a workaround, the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, MSL, LABEL and TEXT commands within image files. In the <policymap> section, add the following lines:
<policymap> ... <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="HTTP" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="FTP" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="LABEL" /> <policy domain="path" rights="none" pattern="@*" /> </policymap>
Red Hat Enterprise Linux 5
In the following folders:
/usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ (64bit package) or /usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ (32bit package)
Rename the following files, mvg.so, msl.so, label.so. Example:
$ mv mvg.so mvg.so.bak $ mv msl.so msl.so.bak $ mv label.so label.so.bak
Additionally, customers can modify third-party code using ImageMagick to verify the image's validity before passing it to ImageMagick to process.
Updates for Affected Products
|Red Hat Enterprise Linux 5||ImageMagick||Will Not Fix|
|Red Hat Enterprise Linux 6||ImageMagick||RHSA-2016-0726|
|Red Hat Enterprise Linux 7||ImageMagick||RHSA-2016-0726|
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.