[Bug 2004580] Re: Possible arbitrary file leak

Seth Arnold 2004580 at bugs.launchpad.net
Tue Feb 28 03:17:55 UTC 2023 

On Mon, Feb 27, 2023 at 12:52:15PM -0000, David Zuelke wrote:
> I agree with this. It's trivially exploited using a crafted PNG. Every
> Ruby on Rails app, for example, shells out to `convert` out of the box
> for image resizing. It's a very standard use case.

Unfortunately this is not a new situation for ImageMagick:
https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html
"Total number of vulnerabilities : 630"

If you've built your applications to accept untrusted inputs from users
and then hand it to ImageMagick for processing, I strongly recommend that
you take steps to secure your environment:

- confine the application with an AppArmor profile
- confine the application with a seccomp profile
- run it as a user with very limited write permissions
- configure rlimits or cgroups on the service to prevent it from consuming
  excessive resources
- configure the networking stack to limit what network resources can be
  reached

ImageMagick is incredibly powerful software but it's also got a long
history of not being suitable for untrusted inputs.

I expect we'll address these CVEs sooner or later but it's important
that everyone who builds applications with ImageMagick understand the
risks and take appropriate actions to mitigate against exploits. This
is true of all software but especially important for ImageMagick.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/2004580

Title:
  Possible arbitrary file leak

Status in imagemagick package in Ubuntu:
  Confirmed

Bug description:
  More details can be found here:

  https://www.metabaseq.com/imagemagick-zero-days/

  Affected versions:

      Injection via "-authenticate"
      - ImageMagick 6: 6.9.8-1 up to 6.9.11-40
      Explotation via MSL:
      -ImageMagick 6: 6.9.11-35 up to 6.9.11-40

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2004580/+subscriptions

More information about the foundations-bugs mailing list