Vulnerability CVE-2016–3714 in ImageMagick was disclosed yesterday. One of the vulnerabilities can lead to remote code execution (RCE) when processing user submitted images. See ImageMagick’s disclosure. See related paperclip issue. Updates and proof of concept will be available in imagetragick.com.
The Paperclip gem makes use of ImageMagick. It verifies the files before sending
them to ImageMagick for processing. It does this by [checking the “magic bytes”]
in the file, using the
mimemagic gem and the
file(1) command. It has done
this since v4.3 (commit).
Paperclip versions 4.2.2 and newer don’t have known vulnerabilities (versions earlier than 4.2.2 are vulnerable to CVE-2015-2963). There is no need to upgrade Paperclip in light of CVE-2016–3714. You may choose to upgrade ImageMagick regardless.