Claus-Theodor Riegg
12 days
Stefan Xenopol
20 days
Claus-Theodor Riegg
6 years
Claus-Theodor Riegg
5 years
Andreas Vöst
3 months
Claus-Theodor Riegg
6 years

Fix Imagemagick CVE-2022-44268 in Ubuntu packages

Posted 2 days ago. Visible to the public.

A severe bug Show archive.org snapshot was found in ImageMagick by Bryan Gonzalez from Ocelot Team.
It allows to embed the content of an arbitrary remote file when ImageMagick parses PNG files.
We found lots of older versions of ImageMagick to be vulnerable.

So far there is no information on updated Packages for Ubuntu ( https://ubuntu.com/security/CVE-2022-44268 Show archive.org snapshot ).

Due to that we patched our systems as follows:

Ubuntu 22.04:

Get package source on a Ubuntu 22.04 system:

apt-get source imagemagick
cd imagemagick-6.9.11.60+dfsg/

Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:

vi coders/png.c

This is the diff we used:

>diff coders/png.c /tmp/source/imagemagick-6.9.11.60+dfsg/coders/png.c
3795d3794                                                                                                                      
<                   (LocaleCompare(key,"profile") == 0) || 

Add an entry to the changelog to get a different version for your package:

dch --newversion 8:6.9.11.60+dfsg-1.3build2.1

You can e.g. use this text for the Changelog entry:

imagemagick (8:6.9.11.60+dfsg-1.3build2.1) UNRELEASED; urgency=medium                                                      
                                                                                                                               
  * SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)                                                             
  * Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe              
                                                                                                                               
 -- YOUR NAME <YOUR@EMAIL-ADDRESS>  Sun, 05 Feb 2023 13:23:30 +0100

Build your package:

dpkg-buildpackage --jobs=8 -rfakeroot -b

After that you can install your updated libmagickcore-6.q16-6:

sudo dpkg -i libmagickcore-6.q16-6_6.9.11.60+dfsg-1.3build2.1_amd64.de

Ubuntu 20.04:

Get package source on a Ubuntu 20.04 system:

apt-get source imagemagick
cd imagemagick-6.9.10.23+dfsg/

Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:

vi coders/png.c

This is the diff we used:

>diff coders/png.c /tmp/source/imagemagick-6.9.10.23+dfsg/coders/png.c
3784,3795c3784
<               {
<                 char
<                   key[MaxTextExtent];
<
<                 (void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
<                 if ((LocaleCompare(key,"version") == 0) ||
<                     (LocaleCompare(key,"profile") == 0) ||
<                     (LocaleCompare(key,"width") == 0))
<                   (void) FormatLocaleString(key,MagickPathExtent,"png:%s",
<                     text[i].key);
<                 (void) SetImageProperty(image,key,value);
<               }
---
>                (void) SetImageProperty(image,text[i].key,value);

Add an entry to the changelog to get a different version for your package:

dch --newversion 8:6.9.10.23+dfsg-2.1ubuntu11.4.1

You can e.g. use this text for the Changelog entry:

imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.4.1) UNRELEASED; urgency=medium                                                      
                                                                                                                               
  * SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)                                                             
  * Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe              
                                                                                                                               
 -- YOUR NAME <YOUR@EMAIL-ADDRESS>  Sun, 05 Feb 2023 13:23:30 +0100

Build your package:

dpkg-buildpackage --jobs=8 -rfakeroot -b

After that you can install your updated libmagickcore-6.q16-6:

sudo dpkg -i libmagickcore-6.q16-6_6.9.10.23+dfsg-2.1ubuntu11.4.1_amd64.deb

Ubuntu 18.04:

Get package source on a Ubuntu 18.04 system:

apt-get source imagemagick
cd imagemagick-6.9.7.4+dfsg/

Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:

vi coders/png.c

This is the diff we used:

# diff imagemagick-6.9.7.4+dfsg/coders/png.c ~/source/imagemagick-6.9.7.4+dfsg/coders/png.c 
3658,3669c3658
<           {
<               char
<                 key[MaxTextExtent];
< 
<             (void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
<             if ((LocaleCompare(key,"version") == 0) ||
<                 (LocaleCompare(key,"profile") == 0) ||
<                 (LocaleCompare(key,"width") == 0))
<               (void) FormatLocaleString(key,MaxTextExtent,"png:%s",
<                 text[i].key);
<             (void) SetImageProperty(image,key,value);
<           }
---
>                (void) SetImageProperty(image,text[i].key,value);

Add an entry to the changelog to get a different version for your package:

dch --newversion 8:6.9.7.4+dfsg-16ubuntu6.14.1

You can e.g. use this text for the Changelog entry:

imagemagick (8:6.9.7.4+dfsg-16ubuntu6.14.1) UNRELEASED; urgency=medium                                                      
                                                                                                                               
  * SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)                                                             
  * Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe              
                                                                                                                               
 -- YOUR NAME <YOUR@EMAIL-ADDRESS>  Sun, 05 Feb 2023 13:23:30 +0100

Build your package:

dpkg-buildpackage --jobs=8 -rfakeroot -b

After that you can install your updated libmagickcore-6.q16-3:

sudo dpkg -i libmagickcore-6.q16-3_6.9.7.4+dfsg-16ubuntu6.14.1_amd64.deb
Last edit
About 17 hours ago
Kim Klotz
About this deck
We are makandra and do test-driven, agile Ruby on Rails software development.