Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 893526 (CVE-2022-44267, CVE-2022-44268) - <media-gfx/imagemagick-{6.9.12.76, 7.1.0.61}: information disclosure / local file inclusion
Summary: <media-gfx/imagemagick-{6.9.12.76, 7.1.0.61}: information disclosure / local ...
Status: IN_PROGRESS
Alias: CVE-2022-44267, CVE-2022-44268
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on: 895246 900897 900899
Blocks:
  Show dependency tree
 
Reported: 2023-02-07 18:41 UTC by Hanno Böck
Modified: 2024-01-06 09:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2023-02-07 18:41:43 UTC 
This sounds severe:
https://www.metabaseq.com/imagemagick-zero-days/
https://github.com/Sybil-Scan/imagemagick-lfi-poc

It doesn't say which version fixes it, but I believe based on upstream's changelog at
https://github.com/ImageMagick/Website/blob/main/ChangeLog.md

it's probably this:
"disable setting profile:<filename> property as it is a security risk 8235d35"
with patch here:
https://github.com/ImageMagick/ImageMagick/commit/8235d35d41f8d3cbd0c20612c406129593dbbf73

This is fixed in upstream's 7.1.0-61.
Comment 1 Larry the Git Cow gentoo-dev 2023-02-08 14:59:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ef065fe55443031e1f5e67adfe6f9a1ce15245e

commit 3ef065fe55443031e1f5e67adfe6f9a1ce15245e
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2023-02-08 14:56:08 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2023-02-08 14:58:58 +0000

    media-gfx/imagemagick: add 6.9.12.76, 7.1.0.61
    
    Bug: https://bugs.gentoo.org/893526
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 media-gfx/imagemagick/Manifest                     |   2 +
 media-gfx/imagemagick/imagemagick-6.9.12.76.ebuild | 269 ++++++++++++++++++++
 media-gfx/imagemagick/imagemagick-7.1.0.61.ebuild  | 278 +++++++++++++++++++++
 3 files changed, 549 insertions(+)
Comment 2 Hanno Böck gentoo-dev 2023-03-11 07:32:52 UTC 
Can we stabilize a newer version?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-03-11 22:09:07 UTC 
Sorry, yes, the delay was in me getting to bug 895246
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-03-11 22:28:16 UTC 
(In reply to Hanno Böck from comment #0)
> This sounds severe:
> https://www.metabaseq.com/imagemagick-zero-days/
> https://github.com/Sybil-Scan/imagemagick-lfi-poc
> 
> It doesn't say which version fixes it, but I believe based on upstream's
> changelog at
> https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
> 
> it's probably this:
> "disable setting profile:<filename> property as it is a security risk
> 8235d35"
> with patch here:
> https://github.com/ImageMagick/ImageMagick/commit/
> 8235d35d41f8d3cbd0c20612c406129593dbbf73
> 
> This is fixed in upstream's 7.1.0-61.

... and https://github.com/ImageMagick/ImageMagick6/commit/222845f6a0848c1e1c567bb1618617e786523bb2 for IM6.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 18:55:39 UTC 
CVE-2022-44267 (https://www.metabaseq.com/imagemagick-zero-days/):

ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.