From dea96e51136ee44971f3e3dafad67f8a5e111c50 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 6 May 2016 07:49:45 +0100 Subject: Document the security fixes in this release --- debian/NEWS | 24 ++++++++++++++++++++++++ doc/ikiwiki/directive/img.mdwn | 23 +++++++++++++++++++++++ doc/security.mdwn | 22 +++++++++++++++++++++- 3 files changed, 68 insertions(+), 1 deletion(-) diff --git a/debian/NEWS b/debian/NEWS index b2753c638..66b2b4299 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,27 @@ +ikiwiki (3.20160506) UNRELEASED; urgency=medium + + To mitigate CVE-2016-3714 and similar ImageMagick security vulnerabilities, + the [[!img]] directive is now restricted to these common web formats by + default: + + * JPEG (.jpg, .jpeg) + * PNG (.png) + * GIF (.gif) + * SVG (.svg) + + (In particular, by default resizing PDF files is no longer allowed.) + + Additionally, resized SVG files are displayed in the browser as SVG + instead of being converted to PNG. + + If all users who can attach images are fully trusted, this restriction + can be removed with the new img_allowed_formats setup option. + See + or for + more details. + + -- Simon McVittie Fri, 06 May 2016 07:07:29 +0100 + ikiwiki (3.20150610) unstable; urgency=low The new "emailauth" plugin allows users to authenticate using an email diff --git a/doc/ikiwiki/directive/img.mdwn b/doc/ikiwiki/directive/img.mdwn index fa3b40f50..a940a44b6 100644 --- a/doc/ikiwiki/directive/img.mdwn +++ b/doc/ikiwiki/directive/img.mdwn @@ -41,4 +41,27 @@ the page, unless overridden. Useful when including many images on a page. \[[!img photo2.jpg]] \[[!img photo3.jpg size=200x600]] +## format support + +By default, the `img` directive only supports a few common web formats: + +* PNG (`.png`) +* JPEG (`.jpg` or `.jpeg`) +* GIF (`.gif`) +* SVG (`.svg`) + +These additional formats can be enabled with the `img_allowed_formats` +[[!iki setup]] option, but are disabled by default for better +[[!iki security]]: + +* PDF (`.pdf`) +* `everything` (accepts any file supported by ImageMagick: make sure + that only completely trusted users can + [[upload attachments|ikiwiki/pagespec/attachment]]) + +For example, a wiki where only `admin()` users can upload attachments might +use: + + img_allowed_formats: [png, jpeg, gif, svg, pdf] + [[!meta robots="noindex, follow"]] diff --git a/doc/security.mdwn b/doc/security.mdwn index d5a0266cd..6d4841fe6 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -178,7 +178,8 @@ the same standards as the rest of ikiwiki, but with that said, here are some security notes for them. * The [[plugins/img]] plugin assumes that imagemagick/perlmagick are secure - from malformed image attacks. Imagemagick has had security holes in the + from malformed image attacks for at least the formats listed in + `img_allowed_formats`. Imagemagick has had security holes in the past. To be able to exploit such a hole, a user would need to be able to upload images to the wiki. @@ -506,3 +507,22 @@ The hole was reported on March 24th, a fix was developed on March 27th, and the fixed version 3.20150329 was released on the 29th. A fix was backported to Debian jessie as version 3.20141016.2 and to Debian wheezy as version 3.20120629.2. An upgrade is recommended for sites using CGI and openid. + +## XSS via error messages + +CGI error messages did not escape HTML meta-characters, potentially +allowing an attacker to carry out cross-site scripting by directing a +user to a URL that would result in a crafted ikiwiki error message. This +was discovered on 4 May by the ikiwiki developers, and the fixed version +3.20160506 was released on 6 May. An upgrade is recommended for sites using +the CGI. + +## ImageMagick CVE-2016–3714 ("ImageTragick") + +ikiwiki 3.20160506 attempts to mitigate [[!cve CVE-2016-3714]] and any +future ImageMagick vulnerabilities that resemble it, by restricting the +image formats that the [[ikiwiki/directive/img]] directive is willing to +resize. An upgrade is recommended for sites where an untrusted user is +able to attach images. Upgrading ImageMagick to a version where +CVE-2016-3714 has been fixed is also recommended, but at the time of +writing no such version is available. -- cgit v1.2.3