[Bug 2004580] Re: Possible arbitrary file leak

David Zuelke 2004580 at bugs.launchpad.net
Mon Feb 27 13:06:31 UTC 2023 

The fix committed to bionic applies cleanly to focal:

ubuntu-imagemagick % git checkout origin/applied/ubuntu/focal-security  
Previous HEAD position was 9d9d88c18 8:6.9.7.4+dfsg-16ubuntu6.15 (patches applied)
HEAD is now at d5cfbaeb8 8:6.9.10.23+dfsg-2.1ubuntu11.4 (patches applied)

ubuntu-imagemagick % git cherry-pick ff63fb0005ef2b9a35ca0811fcf391824586d0dc
Auto-merging coders/png.c
[detached HEAD 0d1b05180] [PATCH] possible DoS @ stdin (OCE-2022-70); possible arbitrary file
 Author: Marc Deslauriers <marc.deslauriers at ubuntu.com>
 Date: Thu Feb 9 12:11:42 2023 -0500
 1 file changed, 13 insertions(+), 2 deletions(-)


For jammy, the upstream commit (https://github.com/ImageMagick/ImageMagick6/commit/d77c01e560e973177feed4915ffd7dd1a45fd763) applies almost verbatim; the preprocessor conditionals from upstream ("#if 0  /* security risk -- disable for now */") around the removed block in magick/property.c are not in jammy, so that gets rejected:

ubuntu-imagemagick % git checkout origin/applied/ubuntu/jammy           
Previous HEAD position was d5cfbaeb8 8:6.9.10.23+dfsg-2.1ubuntu11.4 (patches applied)
HEAD is now at bc5d3ac18 8:6.9.11.60+dfsg-1.3build2 (patches applied)

ubuntu-imagemagick % curl -s https://github.com/ImageMagick/ImageMagick6/commit/d77c01e560e973177feed4915ffd7dd1a45fd763.patch | patch -p1
patching file 'magick/property.c'
Reversed (or previously applied) patch detected!  Assume -R? [y] n
Apply anyway? [n] y
1 out of 1 hunks failed--saving rejects to 'magick/property.c.rej'
patching file 'wand/mogrify.c'

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/2004580

Title:
  Possible arbitrary file leak

Status in imagemagick package in Ubuntu:
  Confirmed

Bug description:
  More details can be found here:

  https://www.metabaseq.com/imagemagick-zero-days/

  Affected versions:

      Injection via "-authenticate"
      - ImageMagick 6: 6.9.8-1 up to 6.9.11-40
      Explotation via MSL:
      -ImageMagick 6: 6.9.11-35 up to 6.9.11-40

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2004580/+subscriptions

More information about the foundations-bugs mailing list