This project has moved. For the latest updates, please go here.

ImageMagick Security Issue

May 3, 2016 at 9:36 PM
ImageMagick recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system.

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Are these issues addressed in Magick.NET or is there a way to correctly configure Magick.NET?

The method to prevent the exploits requires the use of policy.xml settings and to check the "magic bytes" for image files as suggested here; https://imagetragick.com/
Coordinator
May 4, 2016 at 4:44 AM
The remote code execution issue is not possible in Magick.NET. I did publish a new release that includes a fix for reading files on the system.
May 4, 2016 at 4:53 PM
Looking at the vulnerability disclosure, there are five issues:
  1. CVE-2016-3714: Remote code execution via command injection
  2. CVE-2016-3715: Arbitrary file delete
  3. CVE-2016-3716: Arbitrary file move
  4. CVE-2016-3717: Arbitrary file read
  5. CVE-2016-3718: Arbitrary HTTP/FTP GET requests
I see that your policy.xml change on Tuesday added the recommended entry to block indirect reads (issue #4 above).

Could you elaborate on how 1, 2, 3, and 5 have been mitigated in Magick.NET?
Coordinator
May 4, 2016 at 9:02 PM
The main issue with these CVE's is related to the MVG and MSL coders. Last night I thought that it was a bad idea to disable them by default. I changed my mind during the day and I will disable them and publish a new release tonight or tomorrow. Issue 1 only happens on non Windows systems. The other issues will be resolved when I disable those two coders.
May 4, 2016 at 9:56 PM
Edited May 4, 2016 at 9:58 PM
Hi, Since Microsoft is (1) porting .NET to Linux/Mac and (2) they are not porting System.Drawing to Linux/Mac (yet), many people would be using ImageMagicK.net on Linux/Mac and would be vulnerable to issue 1.

Hence it would be very helpful if you could fix the first issue too. Thank you for all your help :)
Coordinator
May 5, 2016 at 8:34 AM
Edited May 5, 2016 at 11:19 AM
You also don't need to worry about issue 1 when I add support for Linux/Mac for .NET Core. The SVG coder that Magick.NET uses is librsvg that does not have this issue. And a new release that disables MVG and MSL by default will be published later today. Users that still require those format should go to 'https://magick.codeplex.com/documentation' and read the 'Initialization' part.
Coordinator
May 5, 2016 at 3:02 PM
It turns out that the policy.xml file is not being used. This means that the change from Tuesday does nothing. Working on a fix now.
Coordinator
May 5, 2016 at 8:30 PM
Please upgrade to Magick.NET 7.0.1.101 to resolve the security issue.

p.s. @MSwannMSFT: Is Microsoft using Magick.NET?
May 5, 2016 at 8:32 PM
Thanks for the quick turnaround on this!

Yes, we are using Magick.NET at Microsoft.
Coordinator
May 5, 2016 at 8:35 PM
Can you elaborate on what you are using it for? Feel free to contact me through CodePlex if you don't want to share it publicly.
May 9, 2016 at 10:37 PM
I see there is an upgrade to Magick.NET 7.0.1.101 and associated NuGet package to resolve the security issue.

Are you planning to release a build and package that fixes version 6? We are using the NuGet package 6.8.9.601 (wraps 6.8.9.6)
We have not been able to upgrade to 7.x because there were some breaking changes in version 7, and 7 is currently beta status.
Coordinator
May 10, 2016 at 5:11 AM
ImageMagick 7 is no longer in beta since 30 april. I won't be publishing a new release for the version 6 release. A lot of changes and improvements have been made since then. Feel free to contact me through CodePlex if you need help with the upgrade.
Jun 13, 2016 at 9:32 PM
arthg wrote:
I see there is an upgrade to Magick.NET 7.0.1.101 and associated NuGet package to resolve the security issue.

Are you planning to release a build and package that fixes version 6? We are using the NuGet package 6.8.9.601 (wraps 6.8.9.6)
We have not been able to upgrade to 7.x because there were some breaking changes in version 7, and 7 is currently beta status.
Hi, I am intending to use Magick.NET 7.0.1.500 in my MVC application, this version covers the CVE 1-5 as well ?, all I have to do is add the required DLL's and the latest policy.xml file, will this be enough to cover the vulnerabilities mentioned above ? Where can I find the Policy.xml corresponding to this?
Thanks for your help
Coordinator
Jun 14, 2016 at 5:17 AM
All you need to do is upgrade to the latest version. The policy.xml file is included as an embedded resource and already contains the correct settings to prevent the exploit (https://magick.codeplex.com/SourceControl/latest#Magick.NET.Native/Resources/xml/policy.xml). You can decide to use your own policy.xml file and initialize the library as described on the documentation page, but I would advise you to use the default policy.xml file.
Jun 14, 2016 at 1:21 PM
Perfect, thanks a lot sir!