# ImageMagick Security Issue

## Duncan Mac Leod

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

I don't see any updates in portage. Are there any plans to release the fixed versions (ImageMagick 7.0.1-2 and 6.9.4-0) to the stable tree?

The German heise.de reports http://www.heise.de/newsticker/meldung/Boese-Bilder-Akute-Angriffe-auf-Webseiten-ueber-ImageMagick-3200773.html that Websites are already under attack.

----------

## Ant P.

There's a bug filed; 7.0.1.2 is already in the tree but masked because it breaks compatibility.

In the meantime switching to media-gfx/graphicsmagick may be a better option.

----------

## c00l.wave

I'm a bit uncomfortable with GraphicsMagick apparently having a similar issue as ImageMagick (others have been prevented before), which is currently being addressed on SCM. There is a 9999 ebuild on layman overlay "stuff" according to gpo.zugaina.org - did anyone try that yet?

Could the severity of these issues make it reasonable to include a 9999 ebuild into official portage or at least a few patches or a "pre-release" ebuild? I've made sure that my servers don't take images from untrusted sources but I still have a bad feeling about this...

Switching back to ImageMagick is not a real option - their multitude of quirks and issues and incompatible changes compared to GraphicsMagick made me switch from IM to GM in the first place (it was not for security reasons).

Quoting Bob Friesenhahn from their help mailing list regarding "ImageTragick":

 *Quote:*   

> GraphicsMagick does not suffer from the specific exploits described as 
> 
> "ImageTragick" because the related code was either re-written to avoid 
> 
> security issues or the ImageMagick implementation otherwise diverged.
> ...

 

I think it's about this commit.

BTW, it may be a good idea to stabilize 1.3.23, just in case there have been related changes. Gentoo currently only lists 1.3.18 as stable.

----------

## Duncan Mac Leod

 *Ant P. wrote:*   

> There's a bug filed; 7.0.1.2 is already in the tree but masked because it breaks compatibility.

 

Why not backport the fix?

----------

## rini17

 *Ant P. wrote:*   

> In the meantime switching to media-gfx/graphicsmagick may be a better option.

 

How do I do it? Tried -imagemagick graphicsmagick useflags, but some packages (lyx,octave,calibre, indirectly inkscape) still depend on IM and it causes a conflict.

----------

## khayyam

 *rini17 wrote:*   

>  *Ant P. wrote:*   In the meantime switching to media-gfx/graphicsmagick may be a better option. 
> 
> How do I do it? Tried -imagemagick graphicsmagick useflags, but some packages (lyx,octave,calibre, indirectly inkscape) still depend on IM and it causes a conflict.

 

rini17 ... you want to set the 'imagemagick' useflag on media-gfx/graphicsmagick, I have the following:

```
media-gfx/graphicsmagick fontconfig imagemagick jpeg jpeg2k lcms lzma png postscript X
```

... and the packages dependent media-gfx/graphicsmagick[imagemagick] function exactly as they would with media-gfx/imagemagick.

Note, obviously media-gfx/imagemagick would need to be removed prior to installing media-gfx/graphicsmagick[imagemagick] (as they conflict).

best ... khay

----------

## c00l.wave

AFAIK ImageMagick is now more secure than GraphicsMagick when it comes to those "ImageTragick"-related issues as the delegates/policy workarounds appear to have been implemented on portage but GM does not offer any such options. So, I'm not entirely sure what to do about GM.

----------

## khayyam

 *c00l.wave wrote:*   

> AFAIK ImageMagick is now more secure than GraphicsMagick when it comes to those "ImageTragick"-related issues as the delegates/policy workarounds appear to have been implemented on portage but GM does not offer any such options. So, I'm not entirely sure what to do about GM.

 

c00l.wave ... graphicsmagick is a different codebase (independent of imagemagick since 2002), I'm fairly certain that Ermishkin and Stewie, or indeed anyone, could test graphicsmagick for the same CVE's ... you're suggesting this hasn't happened and that the same issues are part of the graphicsmagick codebase, I suggest you provide evidence of this being the case.

best ... khay

----------

## c00l.wave

 *khayyam wrote:*   

> I suggest you provide evidence of this being the case.

 

Maybe you missed my post above from 18 May. Gentoo hasn't stabilized the latest release although GM's main developer (at least I assume he is) clearly states that there have been a number of security-relevant patches since the pretty old 1.3.18 release that is stable on portage... Also see the commit I mentioned and tell me again it is not related to "ImageTragick" investigation.

Yes, GM has been forked a long time ago and yes, GM has indeed taken better pre-cautions to avoid what has just happened with IM. But that doesn't mean GM is completely bug-free and unaffected. And I don't see an easy way to disable the image formats or resource protocols in GM as, apparently, you can do in more recent IM versions (delegate & policy files). Or maybe I'm just blind - can you tell me where I can implement similar  workarounds in GM as were proposed and implemented for IM? I couldn't find anything like that.

It may not be possible to run the IM exploits against GM but I doubt it's impossible to write an exploit against GM, especially the 1.3.18 release everyone on Gentoo is still installing unless using keywords. I'd be careful to call 1.3.18 secure if you read the changelog.

----------

## khayyam

 *c00l.wave wrote:*   

>  *khayyam wrote:*   I suggest you provide evidence of this being the case. 
> 
> Maybe you missed my post above from 18 May. Gentoo hasn't stabilized the latest release although GM's main developer (at least I assume he is) clearly states that there have been a number of security-relevant patches since the pretty old 1.3.18 release that is stable on portage... Also see the commit I mentioned and tell me again it is not related to "ImageTragick" investigation.

 

c00l.wave ... yes, I did miss that post, and yes sanity checking image path is "tragick".

 *c00l.wave wrote:*   

> It may not be possible to run the IM exploits against GM but I doubt it's impossible to write an exploit against GM, especially the 1.3.18 release everyone on Gentoo is still installing unless using keywords. I'd be careful to call 1.3.18 secure if you read the changelog.

 

OK, but the issue here is not with graphicsmagick but with distro's, gentoo specifically.

best ... khay

----------

## pjeutr

There's another serious security issue with ImageMagick

http://permalink.gmane.org/gmane.comp.security.oss.general/19669

Doesn't seem to be related to previous one in this thread.

Solution seems simple but I don't know the impact of disabling popen.

Any expert opinion?

----------

## c00l.wave

In this case I'm actually fine with what the others said - wait for GM 1.3.24 to show up in portage (got released today) and replace IM.  :Wink:  I guess this will actually kick 1.3.18 out of portage (or at least hard-mask it) and instead stabilize 1.3.24.

For GM: https://bugs.gentoo.org/show_bug.cgi?id=584512

----------

## pjeutr

Ok, In the meantime I'll check if I want to replace IM for GM. I'm not savvy with the pro's and con's

----------

