Описание
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicous file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
A flaw was found in ImageMagick, a software used for editing and manipulating digital images. This vulnerability allows an attacker to inject malicious code into PostScript files due to improper input sanitization in the PostScript coders. When a specially crafted file is processed by a printer or viewer, this injected code can be executed, potentially leading to arbitrary code execution. A similar issue exists in the HTML encoder, where improper escaping of strings could allow for arbitrary HTML injection.
Отчет
This vulnerability has a MODERATE impact. ImageMagick's PostScript coders, as shipped in Red Hat Enterprise Linux 6 ELS and 7 ELS, are susceptible to arbitrary code injection. Processing a specially crafted file could lead to the execution of malicious PostScript code when rendered by a printer or viewer.
Меры по смягчению последствий
To mitigate this vulnerability, restrict ImageMagick's ability to process untrusted input files, especially when generating PostScript output. Alternatively, disable the PostScript (PS) coder in ImageMagick's policy configuration to prevent the creation of potentially malicious PostScript files. This can be achieved by editing the ImageMagick policy file, typically located at /etc/ImageMagick-X/policy.xml (where X is the ImageMagick version), and adding or modifying a policy entry to disable the 'PS' format. For example, add within the tags. This action may impact applications that rely on ImageMagick's ability to write PostScript files. A service restart may be required for changes to take effect.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ImageMagick | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ImageMagick | Out of support scope |
Показывать по
Дополнительная информация
Статус:
5.7 Medium
CVSS3
Связанные уязвимости
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicous file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicous file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
ImageMagick is free and open-source software used for editing and mani ...
ImageMagick: Code Injection via PostScript header in ps coders
5.7 Medium
CVSS3