Reply to post: Re: Developer forum is murdering ImageMagick

Server-jacking exploits for ImageMagick are so trivial, you'll scream

Anonymous Coward
Anonymous Coward

Re: Developer forum is murdering ImageMagick

Confirmed: GraphicsMagick is NOT vulnerable to the particular exploit in this article. It bails out if the file's extension doesn't match its 'magic number' header, and if you give it the proper extension (.mvg) it rejects the malicious 'fill color'.

This does not mean GraphicsMagick is 100% safe.

Meanwhile, turns out it's pretty easy to screw up the policy.xml patch for ImageMagick. Test the exploit code before and after patching, or just switch to GraphicsMagick.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2021