Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-39212

ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a module policy in policy.xml. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the module policy and instead use the coder policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.

CVE

Package

ImageMagick (App)

Affected versions

< 7.1.0-7; < 6.9.12-22

Patched versions

7.1.0-7; 6.9.12-22

Impact

In certain cases, Postscript files could be read and written when specifically excluded by a module policy in policy.xml:

<policy domain="module" rights="none" pattern="PS" />

Patches

The issue has been resolved in ImageMagick 7.1.0-7 and 6.9.12-22.

Workarounds

Fortunately, in the wild, few users utilize the module policy and instead use the coder policy that is also our workaround recommendation:

<policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />

For more information

If you have any questions or comments about this advisory:

Related news

Ubuntu Security Notice USN-6200-2

Ubuntu Security Notice 6200-2 - USN-6200-1 fixed vulnerabilities in ImageMagick. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. This update fixes the problem.

Ubuntu Security Notice USN-6200-1

Ubuntu Security Notice 6200-1 - It was discovered that ImageMagick incorrectly handled the "-authenticate" option for password-protected PDF files. An attacker could possibly use this issue to inject additional shell commands and perform arbitrary code execution. This issue only affected Ubuntu 20.04 LTS. It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 20.04 LTS.

Ubuntu Security Notice USN-5736-1

Ubuntu Security Notice 5736-1 - It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. Zhang Xiaohui discovered that ImageMagick incorrectly handled certain values when processing image data. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 22.10.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907