[Bug 2004580] Re: Possible arbitrary file leak

David Zuelke 2004580 at bugs.launchpad.net
Mon Feb 27 14:04:16 UTC 2023 

Jammy needs a few more commits from upstream for a clean apply:

ubuntu-imagemagick % git checkout origin/applied/ubuntu/jammy         
Previous HEAD position was d5cfbaeb8 8:6.9.10.23+dfsg-2.1ubuntu11.4 (patches applied)
HEAD is now at bc5d3ac18 8:6.9.11.60+dfsg-1.3build2 (patches applied)

ubuntu-imagemagick % curl -s https://github.com/ImageMagick/ImageMagick6/commit/be3b2a02cbb9c9affa7b0afa0665ed4b4bb0f47b.patch https://github.com/ImageMagick/ImageMagick6/commit/222845f6a0848c1e1c567bb1618617e786523bb2.patch https://github.com/ImageMagick/ImageMagick6/commit/87d719c194cc9356cdcf5df578bbea25582a290c.patch https://github.com/ImageMagick/ImageMagick6/commit/d77c01e560e973177feed4915ffd7dd1a45fd763.patch | patch
patching file 'magick/property.c'
patching file 'magick/property.c'
patching file 'magick/property.c'
patching file 'magick/property.c'
patching file 'wand/mogrify.c'


This then also includes https://github.com/ImageMagick/ImageMagick6/commit/be3b2a02cbb9c9affa7b0afa0665ed4b4bb0f47b which appears to fix another vulnerability.


At this point I am not sure if the fix applied to bionic (https://git.launchpad.net/ubuntu/+source/imagemagick/commit/?id=7b0f88e3da8a0aca0774318be77c6e476c537334) is even complete. The commit message sort of points to  https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe, and I believe https://github.com/ImageMagick/ImageMagick6/commit/23bf43133d5fc525afafdc47398cd92b3b68797d is related as well.


It appears like https://git.launchpad.net/ubuntu/+source/imagemagick/commit/?id=7b0f88e3da8a0aca0774318be77c6e476c537334 is the original upstream fix, and that was later improved, or fully fixed, using the patches I linked?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/2004580

Title:
  Possible arbitrary file leak

Status in imagemagick package in Ubuntu:
  Confirmed

Bug description:
  More details can be found here:

  https://www.metabaseq.com/imagemagick-zero-days/

  Affected versions:

      Injection via "-authenticate"
      - ImageMagick 6: 6.9.8-1 up to 6.9.11-40
      Explotation via MSL:
      -ImageMagick 6: 6.9.11-35 up to 6.9.11-40

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2004580/+subscriptions

More information about the foundations-bugs mailing list