2167594 – (CVE-2022-44268) CVE-2022-44268 ImageMagick: vulnerable to Information Disclosure when it parses a PNG image

Bug 2167594 (CVE-2022-44268) - CVE-2022-44268 ImageMagick: vulnerable to Information Disclosure when it parses a PNG image [NEEDINFO]

Summary: CVE-2022-44268 ImageMagick: vulnerable to Information Disclosure when it pars...

Keywords:
Status:	NEW
Alias:	CVE-2022-44268
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2167599 2167600 2167601
Blocks:	2167598
TreeView+	depends on / blocked

Reported:	2023-02-07 05:05 UTC by Sandipan Roy
Modified:	2023-07-07 08:33 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ImageMagick 7.1.0-52, ImageMagick 6.9.12-67
Doc Type:	If docs needed, set a value
Doc Text:	An information disclosure vulnerability was found in ImageMagick. This flaw allows an attacker to read arbitrary files from a server when parsing an image and happens when the program is parsing a PNG image. If ImageMagick has permission to read other arbitrary files, the resulting image could have been embedded with contents from another file on the machine after the parsing process.
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	trathi: needinfo? (jhorak)

Attachments	(Terms of Use)

Description Sandipan Roy 2023-02-07 05:05:48 UTC

ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

https://imagemagick.org/
https://www.metabaseq.com/imagemagick-zero-days/

Comment 1 Sandipan Roy 2023-02-07 05:09:37 UTC

Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 2167599]
Affects: fedora-36 [bug 2167600]
Affects: fedora-37 [bug 2167601]

Comment 3 TEJ RATHI 2023-02-09 07:39:37 UTC

Upstream Commits:

[1] https://github.com/ImageMagick/ImageMagick/commit/05673e63c919e61ffa1107804d1138c46547a475 (ImageMagick 7.1.0-52)
[2] https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe (ImageMagick 6.9.12-67)

Comment 4 Sergio Basto 2023-02-14 11:48:29 UTC

in 22 of dec of 2022 I updated all branches to 6.9.12-70 [1]

as we can't have versions with "-" we convert "-" to "." so, in Fedora, version is 6.9.12.70 

[1]
* 6210760 2022-12-22 22:03 Sérgio M. Basto (origin/f37, origin/f36, origin/epel9, origin/epel8, f37, f36, epel9, epel8) Update ImageMagick to 6.9.12.70 (#2150658)

Note You need to log in before you can comment on or make changes to this bug.