Bug 1907456 (CVE-2020-29599) - CVE-2020-29599 ImageMagick: Shell injection via PDF password could result in arbitrary code execution
Summary: CVE-2020-29599 ImageMagick: Shell injection via PDF password could result in ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-29599
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1907457 1907458 1908102 1908103 1908104 1908105 1908106 1908107 1910491
Blocks: 1903629
TreeView+ depends on / blocked
 
Reported: 2020-12-14 14:49 UTC by Michael Kaplan
Modified: 2024-03-25 17:32 UTC (History)
7 users (show)

Fixed In Version: ImageMagick 7.0.10-40
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ImageMagick. The -authenticate option is mishandled allowing user-controlled password set for a PDF file to possibly inject additional shell commands via coders/pdf.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-01-05 18:27:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0068 0 None None None 2021-01-11 16:38:32 UTC
Red Hat Product Errata RHSA-2021:0024 0 None None None 2021-01-05 15:03:05 UTC

Description Michael Kaplan 2020-12-14 14:49:31 UTC 
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
Comment 1 Michael Kaplan 2020-12-14 14:49:34 UTC 
External References:

https://github.com/ImageMagick/ImageMagick/discussions/2851
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
Comment 2 Michael Kaplan 2020-12-14 14:49:54 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 1907457]
Affects: fedora-all [bug 1907458]
Comment 5 Marco Benatto 2020-12-17 15:07:29 UTC 
Statement:

Although ImageMagick is shipped as bundled dependency of Inkscape, the further package is not affected as the primary usage for ImageMagick in Inkscape is for bitmap filters thus not exposing the affected code path.
Comment 6 Marco Benatto 2020-12-22 17:53:34 UTC 
There's an issue with ImageMagick when opening password protected PDF files. The user provided password input string is not sanitized, an attacker can leverage the flaw by crafting a input string, leading to a shell command injection. Such vulnerability can compromise the Integrity, Confidentiality and Availability depending on the command injected. For an attack to be successful the attack needs local access to any tool shipped ImageMagick or to trick an user to open an protected PDF using the crafted input string.
Comment 8 Marco Benatto 2020-12-28 14:52:45 UTC 
Upstream commits for this issue:
https://github.com/ImageMagick/ImageMagick/commit/89a1c73ee2693ded91a72d00bdf3aba410f349f1
https://github.com/ImageMagick/ImageMagick/commit/68154c05cf40a80b6f2e2dd9fdc4428570f875f0
https://github.com/ImageMagick/ImageMagick/commit/a9e63436aa04c805fe3f9e2ed242dfa4621df823
Comment 9 errata-xmlrpc 2021-01-05 15:03:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0024 https://access.redhat.com/errata/RHSA-2021:0024
Comment 10 Product Security DevOps Team 2021-01-05 18:27:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-29599
Note You need to log in before you can comment on or make changes to this bug.