[Pkg-gmagick-im-team] Bug#977205: imagemagick: CVE-2020-29599
roucaries.bastien+imagemagick at gmail.com
Tue Dec 15 09:34:59 GMT 2020
As said on debian-provate go ahead please. I am late due to payjob issue.
On Sat, Dec 12, 2020 at 3:06 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
> Source: imagemagick
> Version: 8:18.104.22.168+dfsg-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> The following vulnerability was published for imagemagick.
> A very extensive blogpost explains the issue, and note that the
> provided POC though does only work so far in ImageMagick7 the issue is
> present as well in legacy ImageMagick 6, affected versions should be
> around 6.9.8-1 onwards.
> The required fixes for ImageMagick6 are referenced in the
> As a side node: For buster the issue is mitigated as the recent DSA
> included the 200-disable-ghostscript-formats.patch patch and disables
> ghostscript handled formats. As a hardening measure against those
> issue it might be ideal to ship the disabling as well in bullseye.
> | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the
> | -authenticate option, which allows setting a password for password-
> | protected PDF files. The user-controlled password was not properly
> | escaped/sanitized and it was therefore possible to inject additional
> | shell commands via coders/pdf.c.
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> For further information see:
>  https://security-tracker.debian.org/tracker/CVE-2020-29599
>  https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
> -- System Information:
> Debian Release: bullseye/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads)
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
More information about the Pkg-gmagick-im-team