Bug 1907456 (CVE-2020-29599)

Summary: CVE-2020-29599 ImageMagick: Shell injection via PDF password could result in arbitrary code execution
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fedora, jhorak, jlyle, mike, pahan, rhel8-maint, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ImageMagick 7.0.10-40 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ImageMagick. The -authenticate option is mishandled allowing user-controlled password set for a PDF file to possibly inject additional shell commands via coders/pdf.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-05 18:27:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1907457, 1907458, 1908102, 1908103, 1908104, 1908105, 1908106, 1908107, 1910491    
Bug Blocks: 1903629    

Description Michael Kaplan 2020-12-14 14:49:31 UTC 
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
Comment 1 Michael Kaplan 2020-12-14 14:49:34 UTC 
External References:

https://github.com/ImageMagick/ImageMagick/discussions/2851
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
Comment 2 Michael Kaplan 2020-12-14 14:49:54 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 1907457]
Affects: fedora-all [bug 1907458]
Comment 5 Marco Benatto 2020-12-17 15:07:29 UTC 
Statement:

Although ImageMagick is shipped as bundled dependency of Inkscape, the further package is not affected as the primary usage for ImageMagick in Inkscape is for bitmap filters thus not exposing the affected code path.
Comment 6 Marco Benatto 2020-12-22 17:53:34 UTC 
There's an issue with ImageMagick when opening password protected PDF files. The user provided password input string is not sanitized, an attacker can leverage the flaw by crafting a input string, leading to a shell command injection. Such vulnerability can compromise the Integrity, Confidentiality and Availability depending on the command injected. For an attack to be successful the attack needs local access to any tool shipped ImageMagick or to trick an user to open an protected PDF using the crafted input string.
Comment 8 Marco Benatto 2020-12-28 14:52:45 UTC 
Upstream commits for this issue:
https://github.com/ImageMagick/ImageMagick/commit/89a1c73ee2693ded91a72d00bdf3aba410f349f1
https://github.com/ImageMagick/ImageMagick/commit/68154c05cf40a80b6f2e2dd9fdc4428570f875f0
https://github.com/ImageMagick/ImageMagick/commit/a9e63436aa04c805fe3f9e2ed242dfa4621df823
Comment 9 errata-xmlrpc 2021-01-05 15:03:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0024 https://access.redhat.com/errata/RHSA-2021:0024
Comment 10 Product Security DevOps Team 2021-01-05 18:27:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-29599