ImageMagick: Command injection — GLSA 202101-36

A vulnerability in ImageMagick's handling of PDF was discovered possibly allowing code execution.

Affected packages

media-gfx/imagemagick on all architectures
Affected versions < 7.0.10.41-r1
< 6.9.11.41-r1
Unaffected versions >= 7.0.10.41-r1
>= 6.9.11.41-r1

Background

A collection of tools and libraries for many image formats.

Description

A flaw in ImageMagick’s handling of password protected PDFs was discovered.

Impact

A remote attacker could entice a user to open a specially crafted PDF using ImageMagick possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

Do not open untrusted PDFs.

Resolution

All ImageMagick 7 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=media-gfx/imagemagick-7.0.10.41-r1"
 

All ImageMagick 6 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=media-gfx/imagemagick-6.9.11.41-r1"
 

References

Release date
January 29, 2021

Latest revision
January 29, 2021: 1

Severity
normal

Exploitable
remote

Bugzilla entries