| Name | CVE-2020-29599 |
| Description | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2523-1, DLA-3357-1, ELA-345-1 |
| Debian Bugs | 977205 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| imagemagick (PTS) | jessie, jessie (lts) | 8:6.8.9.9-5+deb8u26 | fixed |
| stretch (security) | 8:6.9.7.4+dfsg-11+deb9u14 | fixed | |
| stretch (lts), stretch | 8:6.9.7.4+dfsg-11+deb9u19 | fixed | |
| buster | 8:6.9.10.23+dfsg-2.1+deb10u1 | vulnerable | |
| buster (security) | 8:6.9.10.23+dfsg-2.1+deb10u7 | fixed | |
| bullseye | 8:6.9.11.60+dfsg-1.3+deb11u2 | fixed | |
| bullseye (security) | 8:6.9.11.60+dfsg-1.3+deb11u3 | fixed | |
| bookworm | 8:6.9.11.60+dfsg-1.6 | fixed | |
| bookworm (security) | 8:6.9.11.60+dfsg-1.6+deb12u1 | fixed | |
| trixie | 8:6.9.12.98+dfsg1-5 | fixed | |
| sid | 8:6.9.12.98+dfsg1-5.2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| imagemagick | source | jessie | 8:6.8.9.9-5+deb8u22 | ELA-345-1 | ||
| imagemagick | source | stretch | 8:6.9.7.4+dfsg-11+deb9u11 | DLA-2523-1 | ||
| imagemagick | source | buster | 8:6.9.10.23+dfsg-2.1+deb10u2 | DLA-3357-1 | ||
| imagemagick | source | (unstable) | 8:6.9.11.57+dfsg-1 | 977205 |
https://github.com/ImageMagick/ImageMagick/discussions/2851
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a9e63436aa04c805fe3f9e2ed242dfa4621df823
ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/68154c05cf40a80b6f2e2dd9fdc4428570f875f0
ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/89a1c73ee2693ded91a72d00bdf3aba410f349f1
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a7b2d8328c539da6e79a118a0b8e97462c7daa77
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/2eead004825d31e8f49022f0bc4ca0d3457b0bb1
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/20f520ed5c8541ae6646bc38d9d3b480785be6c3
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a2b3dd8455da2f17849b55e6b6ddcce587e4a323
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/7b0cce080345e5b7ef26d122f18809c93a19a80e
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/875fdf773d6e822364f876bed14c1785a01b45a7
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/ab2e97d2f7520d1d9ff36ef421caf2a899e14ce4
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/869e38717fa91325da87c2a4cedc148a770a07ec
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/226804980651bb4eb5f3ba3b9d7e992f2eda4710
ImageMagick6 (bugfix): https://github.com/ImageMagick/ImageMagick6/commit/83ec5b5b8ee7cae891fff59340be207b513a030d (6.9.11-41)
Issue mitigated by disabling ghostscript handled formats based on -SAFER insecurity,
cf 200-disable-ghostscript-formats.patch in 8:6.9.10.23+dfsg-2.1+deb10u1, but opens
#964090.
2 vectors for IM6:
1. stealth (ps:* delegates, hard-coded options)
broken between 78c7532f3ff5424de06e5d807cbb35c041bd2990 (6.9.4-2) and 8787fc6de99078fde055bd400b14e1ce3a2971f9 (6.9.8-1)
'-authenticate' replaced by '-define authenticate=' between 8787fc6de99078fde055bd400b14e1ce3a2971f9 (6.9.8-1) and 83ec5b above
2. bimodal ('-define delegate:bimodal=true' + pdf->(e)ps delegates, %a expansion) after 78c7532f3ff5424de06e5d807cbb35c041bd2990 (6.9.4-2)