ImageMagick vulnerability does not affect Paperclip

UPDATE: Paperclip IS vulnerable to ImageTragick

Vulnerability CVE-2016–3714 in ImageMagick was disclosed yesterday. One of the vulnerabilities can lead to remote code execution (RCE) when processing user submitted images. See ImageMagick’s disclosure. See related paperclip issue. Updates and proof of concept will be available in imagetragick.com.

The Paperclip gem makes use of ImageMagick. It verifies the files before sending them to ImageMagick for processing. It does this by checking the “magic bytes” in the file, using the mimemagic gem and the file(1) command. It has done this since v4.3 (commit).

Paperclip versions 4.2.2 and newer don’t have known vulnerabilities (versions earlier than 4.2.2 are vulnerable to CVE-2015-2963). There is no need to upgrade Paperclip in light of CVE-2016–3714. You may choose to upgrade ImageMagick regardless.