ImageMagick RCE and BBB ( CVE-2016–3714) ?

80 views
Skip to first unread message

Wesley Wright

unread,
May 5, 2016, 10:52:29 AM5/5/16
to BigBlueButton-dev
Is BBB safe from these vulnerabilities?

Fred Dixon

unread,
May 5, 2016, 12:01:33 PM5/5/16
to BigBlueButton-dev
Hi Wesley,

We've been looking at this as your e-mail came through.

We name ImageMagick as a dependency in the BigBlueButton packaging (we're not distributing it ourselves).  We expect that Canonical will be updating the ImageMagick package very soon.

However, in the meantime, we strongly recommend everyone update the policy.xml file as described


Specifically, add the following to

  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />

to 

 /etc/ImageMagick/policy.xml

For example

<policymap>
  <!-- <policy domain="system" name="precision" value="6"/> -->
  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
  <!-- <policy domain="resource" name="area" value="1GB"/> -->
  <!-- <policy domain="resource" name="disk" value="16EB"/> -->
  <!-- <policy domain="resource" name="file" value="768"/> -->
  <!-- <policy domain="resource" name="thread" value="4"/> -->
  <!-- <policy domain="resource" name="throttle" value="0"/> -->
  <!-- <policy domain="resource" name="time" value="3600"/> -->
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

There is no need to restart your BigBlueButton server. Once you upgrade the policy.xml your version of ImageMagick is no longer vulnerable.

We recommend that anyone running BigBlueButton (or any other server that uses imagemagic) do this now.  

Regards,... Fred


On Thu, May 5, 2016 at 10:52 AM, Wesley Wright <w...@uvm.edu> wrote:
Is BBB safe from these vulnerabilities?

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To post to this group, send email to bigblueb...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-dev.
For more options, visit https://groups.google.com/d/optout.



--
BigBlueButton Developer
@bigbluebutton
Reply all
Reply to author
Forward
0 new messages