[Pkg-gmagick-im-team] Bug#977205: imagemagick: CVE-2020-29599

Salvatore Bonaccorso carnil at debian.org
Sat Dec 12 14:02:52 GMT 2020

Source: imagemagick
Version: 8:
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>


The following vulnerability was published for imagemagick.

A very extensive blogpost[1] explains the issue, and note that the
provided POC though does only work so far in ImageMagick7 the issue is
present as well in legacy ImageMagick 6, affected versions should be
around 6.9.8-1 onwards.

The required fixes for ImageMagick6 are referenced in the

As a side node: For buster the issue is mitigated as the recent DSA
included the 200-disable-ghostscript-formats.patch patch and disables
ghostscript handled formats. As a hardening measure against those
issue it might be ideal to ship the disabling as well in bullseye.

| ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the
| -authenticate option, which allows setting a password for password-
| protected PDF files. The user-controlled password was not properly
| escaped/sanitized and it was therefore possible to inject additional
| shell commands via coders/pdf.c.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-29599
[1] https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-gmagick-im-team mailing list