New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ImageMagick exploit: cve-2016-3714 "magic byte" validation #1933
Comments
Carrierwave uses mime-types gem which detect content type based on filename. I've already flagged this as potential security issue over a year ago (#1543) but the consensus at the time was that it's outside the scope of this project and a custom processor would be preferable. |
@d4rky-pl given the current issue, do you mind giving it a try with your fix? I was also looking at a solution yesterday, but didn't know about the file from unix solution. I would like to leave this outside carrierwave, but given the current issue... We'll do what we can to protect our users from exploits. If it has to be some sort of temporary patch, I can take care of maintaining it and making sure it transition to another gem, no problem. Thanks |
What approaches are being considered to detect the content type? I'd use something like mimemagick rather than calling the file command. The reason for this is that in some production environments these kind of syscalls are disabled. What are your thoughts on this? |
From what I read, this is also the approach paperclip is using: https://github.com/thoughtbot/paperclip/blob/v4.3.6/lib/paperclip/content_type_detector.rb#L69-L72 |
The mimemagick approach seems good, anybody is free to submit a PR with a solution. 👍 |
We've confirmed that a Rails application using carrierwave 0.9.0 is vulnerable to CVE-2016-3714 with ImageMagick |
I created a PR to fix this issue: #1934 |
Will there be a backport for older versions of this fix? |
Anyone looking for immediate solutions might well take a look at https://github.com/DarthSim/carrierwave-bombshelter |
@fqueiruga yes there will be a backport for 0.11, for older versions, feel free to backport it and I'll merge it and generate a new release. As of now I recommend people to use https://github.com/DarthSim/carrierwave-bombshelter We're in the process of adding mitigation for this issue in a new release of 0.11 |
Hello everyone. The 0.11.2 carrierwave gem version has been published -- Please upgrade and provide feedback if it does work for you. Don't forget to check the steps provided in: https://github.com/carrierwaveuploader/carrierwave/tree/0.11-stable#cve-2016-3714-imagetragick in order to shield your application from the "CVE-2016-3714 ImageTragick" vunerability. A BIG THANKS to @locriani who took his time to submit a patch. For those following the master branch(not really recommended), stick to https://github.com/DarthSim/carrierwave-bombshelter and perhaps also join this discussion: #1934 |
It doesn't work for me. I don't think the This commit doesn't seem to add any call to |
@locriani can you give a read here? Cheers. |
I'll take a look shortly. |
I made the mistake of assuming I could backport cleanly - the content_type_whitelist / blacklist do not exist in the 0.11 branch. I'll create an updated PR that brings that functionality to 0.11 |
Carrierwave 0.11.2 released, please provide feedback! |
Haven't tested against the vulnerability in question but no problems with 0.11.2 as of yet 👍🏽 |
I have tested this. You get this exception:
I suspect the translation files are missing a key. |
detecting the content-type only using the magic number with MimeMagic seems too general to me. |
If we use the policy.xml fix but using an older version (0.9 or 0.10) are we still vulnerable? The information about the vulnerability of Carrierwave to imagetragick is not well communicated. |
The solution with I'm now solving that with the following helper method, but it is sub-optimal since it uses a private method: def image?(new_file)
mime_magic_content_type = new_file.send :mime_magic_content_type
mime_magic_content_type && mime_magic_content_type.include?('image')
end |
For carrierwave 1.0.0, it would be nice if |
#1934 is in the master now. |
This article alerts that a new ImageMagick exploit is being used in the wild and describes the following fixes:
Can someone provide an update as to whether or not this affects CarrierWave and, if so, what steps are being taken or have been taken to mitigate the vulnerability?
The text was updated successfully, but these errors were encountered: