Bug 2167594 (CVE-2022-44268)

Summary: CVE-2022-44268 ImageMagick: vulnerable to Information Disclosure when it parses a PNG image
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, ikanias, jary, jhorak, rravi, tohughes
Target Milestone: ---Keywords: Security
Target Release: ---Flags: trathi: needinfo? (jhorak)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ImageMagick 7.1.0-52, ImageMagick 6.9.12-67 Doc Type: If docs needed, set a value
Doc Text:
An information disclosure vulnerability was found in ImageMagick. This flaw allows an attacker to read arbitrary files from a server when parsing an image and happens when the program is parsing a PNG image. If ImageMagick has permission to read other arbitrary files, the resulting image could have been embedded with contents from another file on the machine after the parsing process.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2167599, 2167600, 2167601    
Bug Blocks: 2167598    

Description Sandipan Roy 2023-02-07 05:05:48 UTC 
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

https://imagemagick.org/
https://www.metabaseq.com/imagemagick-zero-days/
Comment 1 Sandipan Roy 2023-02-07 05:09:37 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 2167599]
Affects: fedora-36 [bug 2167600]
Affects: fedora-37 [bug 2167601]
Comment 3 TEJ RATHI 2023-02-09 07:39:37 UTC 
Upstream Commits:

[1] https://github.com/ImageMagick/ImageMagick/commit/05673e63c919e61ffa1107804d1138c46547a475 (ImageMagick 7.1.0-52)
[2] https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe (ImageMagick 6.9.12-67)
Comment 4 Sergio Basto 2023-02-14 11:48:29 UTC 
in 22 of dec of 2022 I updated all branches to 6.9.12-70 [1]

as we can't have versions with "-" we convert "-" to "." so, in Fedora, version is 6.9.12.70 

[1]
* 6210760 2022-12-22 22:03 Sérgio M. Basto (origin/f37, origin/f36, origin/epel9, origin/epel8, f37, f36, epel9, epel8) Update ImageMagick to 6.9.12.70 (#2150658)