Bug 1190619 - (CVE-2021-39212) VUL-0: CVE-2021-39212: ImageMagick: Possible Security Issue when Configuring the ImageMagick Security Policy
(CVE-2021-39212)
VUL-0: CVE-2021-39212: ImageMagick: Possible Security Issue when Configuring ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/309904/
CVSSv3.1:SUSE:CVE-2021-39212:4.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-17 14:49 UTC by Gianluca Gabrielli
Modified: 2021-09-20 10:14 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-09-17 14:49:02 UTC
ImageMagick is free software delivered as a ready-to-run binary distribution or
as source code that you may use, copy, modify, and distribute in both open and
proprietary applications. In affected versions and in certain cases, Postscript
files could be read and written when specifically excluded by a `module` policy
in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The
issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in
the wild, few users utilize the `module` policy and instead use the `coder`
policy that is also our workaround recommendation: <policy domain="coder"
rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39212
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68
https://github.com/ImageMagick/ImageMagick/commit/35893e7cad78ce461fcaffa56076c11700ba5e4e
Comment 1 Gianluca Gabrielli 2021-09-17 14:51:04 UTC
I think that only openSUSE:Factory/ImageMagick (7.1.0.4) is affected.

I'd like to get the maintainer's feedback about:
 - SUSE:SLE-15:Update/ImageMagick      (7.0.7-34)
 - SUSE:SLE-15-SP2:Update/ImageMagick  (7.0.7-34)
Comment 2 Marcus Meissner 2021-09-18 13:02:36 UTC
we have some policy usage actually.

ImageMagick-config-7-SUSE

uses "coder" style policy in /etc/ImageMagick-7-SUSE/policy.xml to block PS
Comment 3 Petr Gajdos 2021-09-20 08:39:26 UTC
Yes, <policy.*domain="module" is Tumbleweed only, fixed by version a update.

Submitted for TW/ImageMagick.

I believe all fixed.
Comment 4 Gianluca Gabrielli 2021-09-20 10:14:59 UTC
Thanks Petr for the explanation and the submission.