[Pkg-gmagick-im-team] Bug#977205: imagemagick: CVE-2020-29599
Bastien ROUCARIES
roucaries.bastien+imagemagick at gmail.com
Tue Dec 15 09:34:59 GMT 2020
Hi,
As said on debian-provate go ahead please. I am late due to payjob issue.
Bastien
On Sat, Dec 12, 2020 at 3:06 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
>
> Source: imagemagick
> Version: 8:6.9.11.24+dfsg-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for imagemagick.
>
> A very extensive blogpost[1] explains the issue, and note that the
> provided POC though does only work so far in ImageMagick7 the issue is
> present as well in legacy ImageMagick 6, affected versions should be
> around 6.9.8-1 onwards.
>
> The required fixes for ImageMagick6 are referenced in the
> security-tracker.
>
> As a side node: For buster the issue is mitigated as the recent DSA
> included the 200-disable-ghostscript-formats.patch patch and disables
> ghostscript handled formats. As a hardening measure against those
> issue it might be ideal to ship the disabling as well in bullseye.
>
> CVE-2020-29599[0]:
> | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the
> | -authenticate option, which allows setting a password for password-
> | protected PDF files. The user-controlled password was not properly
> | escaped/sanitized and it was therefore possible to inject additional
> | shell commands via coders/pdf.c.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-29599
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29599
> [1] https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
>
> Regards,
> Salvatore
>
> -- System Information:
> Debian Release: bullseye/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads)
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
More information about the Pkg-gmagick-im-team
mailing list