[Bug 2004580] Re: Possible arbitrary file leak
David Zuelke
2004580 at bugs.launchpad.net
Thu Mar 30 02:05:17 UTC 2023
Okay, this needs immediate reverting, Paulo -
CVE-2022-44267_44268-2.patch (or -3.patch for jammy) removes any access
to /etc/, so ImageMagick can't even load it's own /etc/ImageMagick/type-
ghostscript.xml for GS font usage anymore!
See bug
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2012684
This "mitigation" should not have been added. My PoC PNG file
exfiltrated /etc/hosts, but it could just as well have been
/var/log/syslog, or /usr/local/foobar/etc/secretfile, or
/proc/1/environ. There is no point in trying to address this via a
policy file. The fix must be in code, and it is, so this policy file
change can be removed again.
I am attaching corrected and cleaned up patches for focal and jammy,
split into two parts the way I initially proposed.
(Your focal patch files are named ..._1.patch and ...-2.patch, FYI).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/2004580
Title:
Possible arbitrary file leak
Status in imagemagick package in Ubuntu:
Fix Released
Bug description:
More details can be found here:
https://www.metabaseq.com/imagemagick-zero-days/
Affected versions:
Injection via "-authenticate"
- ImageMagick 6: 6.9.8-1 up to 6.9.11-40
Explotation via MSL:
-ImageMagick 6: 6.9.11-35 up to 6.9.11-40
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2004580/+subscriptions
More information about the foundations-bugs
mailing list