ImageMagic vulnerabilties

ronhof

unread,

May 4, 2016, 4:44:19 PM5/4/16

to ResourceSpace

Just read this, https://imagetragick.com that could potentially let unwanted users get full access to servers running resourcespace/imagemagic. Anyone that has worked out how to best inplement the suggested fixes for resourcespace?

Jeff Nova

unread,

May 4, 2016, 5:33:55 PM5/4/16

to ResourceSpace

The solutions are described here:

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Either upgrade your IM to 7.0.1-1 or 6.9.3-10 or edit your policy.xml or delegates.xml as described in the link above.

- Jeff

On Wed, May 4, 2016 at 1:44 PM, ronhof <ronny....@gmail.com> wrote:

Just read this, https://imagetragick.com that could potentially let unwanted users get full access to servers running resourcespace/imagemagic. Anyone that has worked out how to best inplement the suggested fixes for resourcespace?

--
ResourceSpace: Open Source Digital Asset Management
http://www.resourcespace.org
---
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to resourcespac...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

ronhof

unread,

May 6, 2016, 7:00:03 AM5/6/16

to ResourceSpace

Thanks for the info.

1) Is it wise to upgrade an older ImageMagic (6.3.7) on an older version of ResourceSpace without also upgrading ResourceSpace itself? The ImageMagic 6.3.7. does not even have policy files in place.

2) Or would it be sufficient to just remove the mentioned delegates in delegates.xml to get rid of the imminent threat.

I was not very keen to upgrade as the client is more the satisfied with the past years stability and there is a plan in progress for doing the larger upgrade later this year.

BR, Ron.

Robert Liebsch

unread,

May 12, 2016, 10:12:25 AM5/12/16

to ResourceSpace

Having the same problem like ronhof. In my ImageMagick installation there aren't the files policy.xml and delegates.xml. Tried to find both with find -name on the server without success.

Can someone give a step by step description how to upgrade IM please.

Cheers Robert

Jeff Nova

unread,

May 12, 2016, 11:09:28 AM5/12/16

to resour...@googlegroups.com

It's very unlikely that upgrading ImageMagick would cause any trouble with your ResourceSpace installation - just be sure you don't install from the 7.x branch. That's my recommendation.

- Jeff

Jeff Nova

unread,

May 12, 2016, 11:14:11 AM5/12/16

to resour...@googlegroups.com

What platform are you on? How was ImageMagick installed in the first place?

- Jeff

--

Reply all

Reply to author

Forward