Name | CVE-2020-29599 |
Description | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-2523-1, DLA-3357-1 |
Debian Bugs | 977205 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
imagemagick (PTS) | bullseye | 8:6.9.11.60+dfsg-1.3+deb11u4 | fixed |
| bullseye (security) | 8:6.9.11.60+dfsg-1.3+deb11u3 | fixed |
| bookworm | 8:6.9.11.60+dfsg-1.6+deb12u2 | fixed |
| bookworm (security) | 8:6.9.11.60+dfsg-1.6+deb12u1 | fixed |
| sid, trixie | 8:7.1.1.39+dfsg1-3 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://github.com/ImageMagick/ImageMagick/discussions/2851
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a9e63436aa04c805fe3f9e2ed242dfa4621df823
ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/68154c05cf40a80b6f2e2dd9fdc4428570f875f0
ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/89a1c73ee2693ded91a72d00bdf3aba410f349f1
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a7b2d8328c539da6e79a118a0b8e97462c7daa77
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/2eead004825d31e8f49022f0bc4ca0d3457b0bb1
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/20f520ed5c8541ae6646bc38d9d3b480785be6c3
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a2b3dd8455da2f17849b55e6b6ddcce587e4a323
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/7b0cce080345e5b7ef26d122f18809c93a19a80e
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/875fdf773d6e822364f876bed14c1785a01b45a7
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/ab2e97d2f7520d1d9ff36ef421caf2a899e14ce4
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/869e38717fa91325da87c2a4cedc148a770a07ec
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/226804980651bb4eb5f3ba3b9d7e992f2eda4710
ImageMagick6 (bugfix): https://github.com/ImageMagick/ImageMagick6/commit/83ec5b5b8ee7cae891fff59340be207b513a030d (6.9.11-41)
Issue mitigated by disabling ghostscript handled formats based on -SAFER insecurity,
cf 200-disable-ghostscript-formats.patch in 8:6.9.10.23+dfsg-2.1+deb10u1, but opens
#964090.
2 vectors for IM6:
1. stealth (ps:* delegates, hard-coded options)
broken between 78c7532f3ff5424de06e5d807cbb35c041bd2990 (6.9.4-2) and 8787fc6de99078fde055bd400b14e1ce3a2971f9 (6.9.8-1)
'-authenticate' replaced by '-define authenticate=' between 8787fc6de99078fde055bd400b14e1ce3a2971f9 (6.9.8-1) and 83ec5b above
2. bimodal ('-define delegate:bimodal=true' + pdf->(e)ps delegates, %a expansion) after 78c7532f3ff5424de06e5d807cbb35c041bd2990 (6.9.4-2)