Source: imagemagick Version: 8:6.9.11.24+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for imagemagick. A very extensive blogpost[1] explains the issue, and note that the provided POC though does only work so far in ImageMagick7 the issue is present as well in legacy ImageMagick 6, affected versions should be around 6.9.8-1 onwards. The required fixes for ImageMagick6 are referenced in the security-tracker. As a side node: For buster the issue is mitigated as the recent DSA included the 200-disable-ghostscript-formats.patch patch and disables ghostscript handled formats. As a hardening measure against those issue it might be ideal to ship the disabling as well in bullseye. CVE-2020-29599[0]: | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the | -authenticate option, which allows setting a password for password- | protected PDF files. The user-controlled password was not properly | escaped/sanitized and it was therefore possible to inject additional | shell commands via coders/pdf.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-29599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29599 [1] https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled