OpenShift Online recently had a patch applied to resolve the ImageTragick vulnerability (CVE-2016–3714) in the ImageMagick image processing library. ImageMagick® is a software suite to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200).
Many of our users depend on ImageMagick, and it’s important to note that part of the fix for this vulnerability was to add safeguards in the systemwide ImageMagick policy.xml file, as described here. If you find that the new systemwide policy causes problems with your application hosted on OpenShift, here is a workaround for providing your own policy:
- In your git repository, create a directory for the policy file — we’ll call it .im in this example.
- Create your desired policy.xml, storing it the directory we just created such as: .im/policy.xml
- Within your application, set the MAGICK_CONFIGURE_PATH environment variable to $OPENSHIFT_REPO_DIR/.im
- Commit and push your changes (make sure to test!)
Note that I am purposely avoiding rhc set-env here because custom environment variables are not interpolated, and setting absolute directory paths in environment variables won’t work for scaled applications unless you use a namespaced directory such as /tmp.
We apologize for any inconvenience this update may have caused, but given the widespread use of this library and the existence of well-documented exploits, we believed that patching quickly was the best way to protect our users. If you have any issues related to this, please contact us. The OpenShift Operations Team continuously monitors applications and vulnerabilities. They work to quickly resolve and provide simple solutions with minimal impact to you applications.
About ImageMagick — It is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. It is distributed under the Apache 2.0 license.