A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s Imagick, Ruby’s RMagick and Paperclip, and nodejs’s imagemagick.
More information about the vulnerability can be found on the ImageMagick website. (Updated 05/05 The issue has been named as ImageTragick.)
If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing this:
1. Edit the policy.xml file of ImageMagick:
/opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml2. Add the following policy rules (updated 05/05):
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
</policymap>
3. Verify your policies with the following command:
convert -list policyBelow is an example policy output:
Path: [built-in]
Policy: Undefined
rights: None
Path: /opt/bitnami/common/lib/ImageMagick-6.7.5/config/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
...
The Bitnami Team is working hard on updating the library to its latest version in order to fix this issue in our future releases. If you have questions about ImageMagick or the security vulnerability, please post to our community forum, and we will be happy to help you.