Installing a different version of ImageMagick on CentOS 7

[gentlemedia]

Hi,

I have the following server requirements of the CS-Cart CMS:

We strongly recommend using at least ImageMagick 6.9.3-10 or higher, as it includes a critical vulnerability fix. ImageMagick 7 is not supported yet.

When I install ImageMagick plus some RPM packages with

Code: Select all

yum install ImageMagick ImageMagick-devel pcre-devel

I see CentOS installs the ImageMagick version 6.7.8.9-15

So in order to install the recommended version I have to do it differently and please bear with me, I'm not an expert with the command-line. On the contrary, I'm more or less of a noob

Anyway, I've found an index with all the releases and I want to install the following release.
https://www.imagemagick.org/download/re ... 9-0.tar.xz

Although I've never heard of tar.xz I'm more familiar with tar.gz. There's also a .zip version of this release on that index page, see https://www.imagemagick.org/download/releases/

What commands do I need or how do I install this version on CentOS?
I did found a thread on another forum explaining how, but it's 4 years old and I'm not sure if it's the right way. Especially with the difference in wget URL.
http://www.webhostingtalk.com/showthread.php?t=1528610

[TrevorH]

It's almost certain that the version in CentOS already has the patch for any vulnerability. See https://access.redhat.com/security/updates/backporting/ for how it works.

[gentlemedia]

Thanks, TrevorH!

I can live with 'almost certain', but if this can be confirmed by someone that would be great!

Although I found the RPM of the ImageMagick version I was after see https://www.imagemagick.org/download/li ... OS/x86_64/
but when I tried that with...

Code: Select all

wget https://www.imagemagick.org/download/linux/CentOS/x86_64/ImageMagick-libs-6.9.9-0.x86_64.rpm
rpm -uvh ImageMagick-6.9.9-0.x86.rpm

...the wget download got saved somewhere, but I got an alert with the second command.

rpm -uvh unknown option

So I will just install the older version and hope for the best

[avij]

I can live with 'almost certain', but if this can be confirmed by someone that would be great!

That would require knowing which particular vulnerability (typically with a CVE identifier) CS-Cart is referring to. When you know the CVE ID, you can grep for its ID from ImageMagick's changelog, like this:

Code: Select all

# rpm -q --changelog ImageMagick | grep -i CVE
- Added fix for CVE-2016-5118, CVE-2016-5240, rhbz#1269562,
- Add fix for CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717
- backported r13736 to fix CVE-2014-1947, CVE-2014-2030 (rhbz#1083080)
- Update to 6.7.8-9 to fix CVE-2012-3437 (bz#844101, 844103).
- heap overflows (#235075, CVE-2007-1797)
- fix several integer and buffer overflows (#202193, CVE-2006-3743)
- fix more integer overflows (#202771, CVE-2006-4144)
- Fix a heap overflow CVE-2006-2440 (#192279)
- fix a format string vulnerability (CVE-2006-0082)

If the CVE you are interested in doesn't show up in the changelog, it is possible that the CentOS version of ImageMagick is not affected due to different compile options, for example. In this case you should check Red Hat's CVE database, for example https://access.redhat.com/security/cve/CVE-2016-5118

[TrevorH]

I can live with 'almost certain', but if this can be confirmed by someone that would be great!

That "someone" would be you.

[gentlemedia]

That "someone" would be you.

Yes, I understood that from avij post.
I ran that command to see what gets listed on my server, but I got the messages "grep is not installed" and "CVE is not installed".

To install those first and to contact CS-Cart to ask which critical vulnerability fix it might be, then it would be easier and quicker to install the right ImageMagick version from the source.
I've found info on the ImageMagick website how to do this.
https://www.imagemagick.org/script/install-source.php

[TrevorH]

No, really, don't do that. If you do then you are now solely responsible for looking after its security from now onwards. Without knowing the CVE number involved, no-one can tell you if the vulnerability is already patched though I would expect it to be. If you replace the package with one of your own or a source build then you will need to sign up for the security mailing list for that package and rebuild it whenever they find anything new. If you stick with the CentOS provided one, all you need to do is regularly run yum update

I got the messages "grep is not installed" and "CVE is not installed".

Are you sure you entered the command correctly? I cannot imagine an install of CentOS that doesn't contain grep out of the box - in fact I just tested and it is an essential package that is impossible to remove - trying to do so with yum remove grep gives a few dozen pages of messsages and ends with

Code: Select all

Error: Trying to remove "systemd", which is protected
Error: Trying to remove "yum", which is protected

[gentlemedia]

No, really, don't do that. If you do then you are now solely responsible for looking after its security from now onwards.

Sure! If you say so, I won't.

Are you sure you entered the command correctly?

Yes, I did 3 times now and I get those messages.

So I ran a check if grep is installed or not with yum info grep and the package is indeed installed on the server, so not sure why it says Package: grep is not installed when I run that rpm command .
I also ran yum info CVE and there I get the message Error: No matching Packages to list.

So I guess I have to try to get that CVE number from that vulnerability fix CS-Cart is talking about.

[gentlemedia]

I forgot to mention that when I ran that rpm command, I do get the changelog list and it shows all the info about the ImageMagick package. But at the bottom I get those two 'not installed' messages.

[avij]

Are you sure you entered the command correctly?

Yes, I did 3 times now and I get those messages.

Try writing that line yourself.. Here is the command line again with annotations:

rpm -q --changelog

• instructs rpm to show the changelog of a package

ImageMagick

• the package to be queried

|

• the pipe character

grep -i CVE

• searches for the text "CVE" from the output of the previous command, with case insensitivity