SUSE has issued an advisory on April 3: https://lists.suse.com/pipermail/sle-security-updates/2023-April/014341.html The issue is fixed upstream in 7.1.1: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 7.1.1
I believe this Fedora advisory from April 2 is for the same issue: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2UT74QYVOJKQFFX6BUGGQTMOTAZU3ARP/
Assigning to our registered imagemagick maintainer
Assignee: bugsquad => smelrorCC: (none) => marja11
Cauldron updated with a backported patch - imagemagick-7.1.0.62-3
Version: Cauldron => 8Source RPM: imagemagick-7.1.0.62-2.mga9.src.rpm => imagemagick-7.1.0.57-1.mga8.src.rpmWhiteboard: MGA8TOO => (none)
Advisory ======== ImageMagcik has been updated to fix CVE-2023-1289. CVE-2023-1289: A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G. References ========== https://lists.suse.com/pipermail/sle-security-updates/2023-April/014341.html https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-1289 Files ===== Uploaded to core/updates_testing imagemagick-desktop-7.1.0.62-1.mga8 perl-Image-Magick-7.1.0.62-1.mga8 lib64magick++-7Q16HDRI_5-7.1.0.62-1.mga8 lib64magick-devel-7.1.0.62-1.mga8 lib64magick-7Q16HDRI_10-7.1.0.62-1.mga8 imagemagick-7.1.0.62-1.mga8 imagemagick-doc-7.1.0.62-1.mga8 from imagemagick-7.1.0.62-1.mga8.src.rpm Uploaded to tainted/updated_testing imagemagick-desktop-7.1.0.62-1.mga8.tainted perl-Image-Magick-7.1.0.62-1.mga8.tainted lib64magick++-7Q16HDRI_5-7.1.0.62-1.mga8.tainted lib64magick-devel-7.1.0.62-1.mga8.tainted imagemagick-7.1.0.62-1.mga8.tainted lib64magick-7Q16HDRI_10-7.1.0.62-1.mga8.tainted imagemagick-doc-7.1.0.62-1.mga8.tainted from imagemagick-7.1.0.62-1.mga8.src.rpm
Assignee: smelror => qa-bugs
Status comment: Fixed upstream in 7.1.1 => (none)
Tested the core version in an "untainted" MGA8-64 Plasam in VirtualBox. No installation issues. Used the command line to convert a jpeg of a St. Lawrence River sunset (as it came from the Canon camera) to png. Loaded the same jpeg into the Imagemagick gui, and proceeded to mangle it beyond recognition using various Transform, Enhance, and FX tools, then undid everything I did successfully. I didn't think to check the POC until after the update, but, after creating the "specially crafted SVG" file, I followed instructions: [tom@localhost ~]$ magick --version Version: ImageMagick 7.1.0-62 Q16-HDRI x86_64 20885 https://imagemagick.org Copyright: (C) 1999 ImageMagick Studio LLC License: https://imagemagick.org/script/license.php Features: Cipher DPC HDRI Modules OpenMP(4.5) Delegates (built-in): bzlib cairo djvu fftw fontconfig freetype gslib gvc jbig jng jp2 jpeg lcms lqr ltdl lzma openexr pangocairo png ps raw rsvg tiff webp wmf x xml zlib Compiler: gcc (10.4) [tom@localhost ~]$ magick convert -verbose -font OpenSymbol bad.svg t.jpg 'inkscape' '/tmp/magick-ixX13JwrwrLUhyucKsGxechsQtEN4Zji' --export-filename='/tmp/magick-qp154V6U-dyAwtU-QbcnWD8XKFcG7q5k.png' --export-dpi='96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='1' > '/tmp/magick-YWdlPJt-_9BfRq0uY2vmza_VOxWfjyvl' 2>&1 'inkscape' '/tmp/magick-mbZmuRI6BOeLi0_YWmitNPJHApjYseHj' --export-filename='/tmp/magick-F8U_nCnrNEX4zLlw4Rnn2ZmIOG11ls6h.png' --export-dpi='96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='1' > '/tmp/magick-81lVXIRNecoCo7JwW8archkIk4VtlTbk' 2>&1 bad.svg SVG 128x128 128x128+0+0 16-bit sRGB 206B 0.000u 0:00.006 bad.svg=>t.jpg SVG 128x128 128x128+0+0 16-bit sRGB 225B 0.000u 0:00.001 [tom@localhost ~]$ There was no segfault, so it would seem that this version is OK. On to a tainted test...
CC: (none) => andrewsfarm
Tested the tainted version in another VirtualBox guest. This time I tried the POC before the update, but again there was no segfault. Either this version was not affected after all, or I didn't do the test correctly. Either may be possible. No installation issues. Afterward, I performed the same manipulations as in comment 5, except on a different image, but with the same results. This is as far as I can go, and as far as I can see this is OK. If someone with better skills than mine wants to try the POC, I wouldn't object. I'll give it a couple of days before sending it on.
CC: (none) => mageia
@TJ in reply to comment 6. No, I tried the untainted test without updating and saw the same thing - nothing wrong with the way you tested it. No extra files in /tmp and the converted image displays as a white square and there are no extra files in /tmp. The OP was testing exactly the same version of magick as far as I can see. So it looks fixed for Mageia.
CC: (none) => tarazed25
Thanks, Len. Validating. Advisory in comment 4.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0136.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED