[Bug 2004580] Re: Possible arbitrary file leak
David Zuelke
2004580 at bugs.launchpad.net
Tue Feb 28 12:39:29 UTC 2023
You're of course correct in principle, but the trouble here is that this
is a vulnerability that's very hard to counter using OS limits/profiles
or ImageMagick profiles, because you need to write user input to some
location on the file system in order to process it, and so at least that
file system location is automatically vulnerable to exfiltration,
because the ImageMagick process must be allowed to read it to load the
uploaded image.
On top of that, I for instance work for a platform provider where we
can't even know ahead of time what filesystem location a customer's code
(or the library/framework they're using) will use for e.g. uploaded file
storage - is it /tmp, is it somewhere else - so it's not feasible to
lock down paths using an ImageMagick policy in a way that doesn't break
countless existing customers.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/2004580
Title:
Possible arbitrary file leak
Status in imagemagick package in Ubuntu:
Confirmed
Bug description:
More details can be found here:
https://www.metabaseq.com/imagemagick-zero-days/
Affected versions:
Injection via "-authenticate"
- ImageMagick 6: 6.9.8-1 up to 6.9.11-40
Explotation via MSL:
-ImageMagick 6: 6.9.11-35 up to 6.9.11-40
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2004580/+subscriptions
More information about the foundations-bugs
mailing list