Source: imagemagick
Version: 8:6.9.11.24+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for imagemagick.

A very extensive blogpost[1] explains the issue, and note that the
provided POC though does only work so far in ImageMagick7 the issue is
present as well in legacy ImageMagick 6, affected versions should be
around 6.9.8-1 onwards.

The required fixes for ImageMagick6 are referenced in the
security-tracker.

As a side node: For buster the issue is mitigated as the recent DSA
included the 200-disable-ghostscript-formats.patch patch and disables
ghostscript handled formats. As a hardening measure against those
issue it might be ideal to ship the disabling as well in bullseye.

CVE-2020-29599[0]:
| ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the
| -authenticate option, which allows setting a password for password-
| protected PDF files. The user-controlled password was not properly
| escaped/sanitized and it was therefore possible to inject additional
| shell commands via coders/pdf.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-29599
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29599
[1] 
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

Regards,
Salvatore

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to