Is the PECL imagick extension also vulnerable to the new ImageMagick security issue?
Question
I'm asking, if the PECL imagick extension is also vulnerable to the new very critical ImageMagick security issue (check here and here ). Is the extension just using the ImageMagick tool via shell, too?
1 answers
solution1
2 ACCPTED 2016-05-05 17:24:16
yes.
The Imagick PECL is a PHP binding to the C-API MagickWand . It does not invoke a shell session, but is vulnerable to the delegate security issues -- just the same.
Update the policy.xml as recommended by the notice.
edit for completion
How to updated policy.xml (YMMV)
Locate ImageMagick's shared path on system.
$ identify -list configure | grep SHARE #=> SHARE_PATH /usr/share/ImageMagick-6Create or edit
policy.xmlin directory of previous step.$ cd /usr/share/ImageMagick-6 $ sudo cat > policy.xml <<EOF <policymap> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> <policy domain="coder" rights="none" pattern="TEXT" /> <policy domain="coder" rights="none" pattern="SHOW" /> <policy domain="coder" rights="none" pattern="WIN" /> <policy domain="coder" rights="none" pattern="PLT" /> </policymap> EOFVerify policy loads with
identify -list policy.- Restart web-services to ensure new policies are loaded.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.