Redmine

How do you think we should do?

Sahya, thank you for reporting this issue so quickly.

I think that Redmine 3.3.2 / 3.2.5 (released on 2017-01-07) and later are not affected with the vulnerability because they don't process Utah RLE images. By the change introduced in r16092, Redmine don't make ImageMagick process a image if the image format is not BMP, GIF, JPEG and PNG. But older versions of Redmine are vulnerable.

On my CentOS7.

$ wget https://downloads.sourceforge.net/project/utahrastertoolkit/urt-img.tar
$ tar xf urt-img.tar
$ LC_ALL=C file img/christmas_ball.rle 
img/christmas_ball.rle: RLE image data, 400 x 400, clear first, alpha channel, comment, 3 color channels, 8 bits per pixel
$ sudo mv /usr/lib64/ImageMagick-6.7.8/modules-Q16/coders/rle.so /usr/lib64/ImageMagick-6.7.8/modules-Q16/coders/rle.so.CVE-2017-9098
$ convert img/christmas_ball.rle img/christmas_ball.png
convert: unable to load module `/usr/lib64/ImageMagick-6.7.8/modules-Q16/coders/rle.la': file not found @ error/module.c/OpenModule/1278.
convert: no decode delegate for this image format `img/christmas_ball.rle' @ error/constitute.c/ReadImage/544.
convert: no images defined `img/christmas_ball.png' @ error/convert.c/ConvertImageCommand/3046.
$ echo $?
1
$ LC_ALL=C ls img/christmas_ball.png
ls: cannot access img/christmas_ball.png: No such file or directory

Toshi MARUYAMA wrote:
How do you think we should do?

I think severity level of the vulnerability is high.
And any website is fixed.
I remember that Redmine use imagemagick.
So I reported this issue.