Bug 1907456 (CVE-2020-29599) - CVE-2020-29599 ImageMagick: Shell injection via PDF password could result in arbitrary code execution
Summary: CVE-2020-29599 ImageMagick: Shell injection via PDF password could result in ...
Alias: CVE-2020-29599
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1907457 1907458 1908102 1908103 1908104 1908105 1908106 1908107 1910491
Blocks: 1903629
TreeView+ depends on / blocked
Reported: 2020-12-14 14:49 UTC by Michael Kaplan
Modified: 2024-03-25 17:32 UTC (History)
7 users (show)

Fixed In Version: ImageMagick 7.0.10-40
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ImageMagick. The -authenticate option is mishandled allowing user-controlled password set for a PDF file to possibly inject additional shell commands via coders/pdf.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Last Closed: 2021-01-05 18:27:40 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0068 0 None None None 2021-01-11 16:38:32 UTC
Red Hat Product Errata RHSA-2021:0024 0 None None None 2021-01-05 15:03:05 UTC

Description Michael Kaplan 2020-12-14 14:49:31 UTC
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.

Comment 2 Michael Kaplan 2020-12-14 14:49:54 UTC
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 1907457]
Affects: fedora-all [bug 1907458]

Comment 5 Marco Benatto 2020-12-17 15:07:29 UTC

Although ImageMagick is shipped as bundled dependency of Inkscape, the further package is not affected as the primary usage for ImageMagick in Inkscape is for bitmap filters thus not exposing the affected code path.

Comment 6 Marco Benatto 2020-12-22 17:53:34 UTC
There's an issue with ImageMagick when opening password protected PDF files. The user provided password input string is not sanitized, an attacker can leverage the flaw by crafting a input string, leading to a shell command injection. Such vulnerability can compromise the Integrity, Confidentiality and Availability depending on the command injected. For an attack to be successful the attack needs local access to any tool shipped ImageMagick or to trick an user to open an protected PDF using the crafted input string.

Comment 9 errata-xmlrpc 2021-01-05 15:03:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0024 https://access.redhat.com/errata/RHSA-2021:0024

Comment 10 Product Security DevOps Team 2021-01-05 18:27:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.