Bug 2167594 (CVE-2022-44268) - CVE-2022-44268 ImageMagick: vulnerable to Information Disclosure when it parses a PNG image [NEEDINFO]
Summary: CVE-2022-44268 ImageMagick: vulnerable to Information Disclosure when it pars...
Status: NEW
Alias: CVE-2022-44268
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2167599 2167600 2167601
Blocks: 2167598
TreeView+ depends on / blocked
Reported: 2023-02-07 05:05 UTC by Sandipan Roy
Modified: 2023-07-07 08:33 UTC (History)
6 users (show)

Fixed In Version: ImageMagick 7.1.0-52, ImageMagick 6.9.12-67
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure vulnerability was found in ImageMagick. This flaw allows an attacker to read arbitrary files from a server when parsing an image and happens when the program is parsing a PNG image. If ImageMagick has permission to read other arbitrary files, the resulting image could have been embedded with contents from another file on the machine after the parsing process.
Clone Of:
Last Closed:
trathi: needinfo? (jhorak)

Attachments (Terms of Use)

Description Sandipan Roy 2023-02-07 05:05:48 UTC
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).


Comment 1 Sandipan Roy 2023-02-07 05:09:37 UTC
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 2167599]
Affects: fedora-36 [bug 2167600]
Affects: fedora-37 [bug 2167601]

Comment 4 Sergio Basto 2023-02-14 11:48:29 UTC
in 22 of dec of 2022 I updated all branches to 6.9.12-70 [1]

as we can't have versions with "-" we convert "-" to "." so, in Fedora, version is 

* 6210760 2022-12-22 22:03 Sérgio M. Basto (origin/f37, origin/f36, origin/epel9, origin/epel8, f37, f36, epel9, epel8) Update ImageMagick to (#2150658)

Note You need to log in before you can comment on or make changes to this bug.