Fix Imagemagick CVE-2022-44268 in Ubuntu packages
A
severe bug
Show archive.org snapshot
was found in ImageMagick by Bryan Gonzalez from Ocelot Team.
It allows to embed the content of an arbitrary remote file when ImageMagick parses PNG files.
We found lots of older versions of ImageMagick to be vulnerable.
So far there is no information on updated Packages for Ubuntu ( https://ubuntu.com/security/CVE-2022-44268 Show archive.org snapshot ).
Due to that we patched our systems as follows:
Ubuntu 22.04:
Get package source on a Ubuntu 22.04 system:
apt-get source imagemagick
cd imagemagick-6.9.11.60+dfsg/
Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:
vi coders/png.c
This is the diff we used:
>diff coders/png.c /tmp/source/imagemagick-6.9.11.60+dfsg/coders/png.c
3795d3794
< (LocaleCompare(key,"profile") == 0) ||
Add an entry to the changelog to get a different version for your package:
dch --newversion 8:6.9.11.60+dfsg-1.3build2.1
You can e.g. use this text for the Changelog entry:
imagemagick (8:6.9.11.60+dfsg-1.3build2.1) UNRELEASED; urgency=medium
* SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)
* Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe
-- YOUR NAME <YOUR@EMAIL-ADDRESS> Sun, 05 Feb 2023 13:23:30 +0100
Build your package:
dpkg-buildpackage --jobs=8 -rfakeroot -b
After that you can install your updated libmagickcore-6.q16-6:
sudo dpkg -i libmagickcore-6.q16-6_6.9.11.60+dfsg-1.3build2.1_amd64.de
Ubuntu 20.04:
Get package source on a Ubuntu 20.04 system:
apt-get source imagemagick
cd imagemagick-6.9.10.23+dfsg/
Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:
vi coders/png.c
This is the diff we used:
>diff coders/png.c /tmp/source/imagemagick-6.9.10.23+dfsg/coders/png.c
3784,3795c3784
< {
< char
< key[MaxTextExtent];
<
< (void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
< if ((LocaleCompare(key,"version") == 0) ||
< (LocaleCompare(key,"profile") == 0) ||
< (LocaleCompare(key,"width") == 0))
< (void) FormatLocaleString(key,MagickPathExtent,"png:%s",
< text[i].key);
< (void) SetImageProperty(image,key,value);
< }
---
> (void) SetImageProperty(image,text[i].key,value);
Add an entry to the changelog to get a different version for your package:
dch --newversion 8:6.9.10.23+dfsg-2.1ubuntu11.4.1
You can e.g. use this text for the Changelog entry:
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.4.1) UNRELEASED; urgency=medium
* SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)
* Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe
-- YOUR NAME <YOUR@EMAIL-ADDRESS> Sun, 05 Feb 2023 13:23:30 +0100
Build your package:
dpkg-buildpackage --jobs=8 -rfakeroot -b
After that you can install your updated libmagickcore-6.q16-6:
sudo dpkg -i libmagickcore-6.q16-6_6.9.10.23+dfsg-2.1ubuntu11.4.1_amd64.deb
Ubuntu 18.04:
Get package source on a Ubuntu 18.04 system:
apt-get source imagemagick
cd imagemagick-6.9.7.4+dfsg/
Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:
vi coders/png.c
This is the diff we used:
# diff imagemagick-6.9.7.4+dfsg/coders/png.c ~/source/imagemagick-6.9.7.4+dfsg/coders/png.c
3658,3669c3658
< {
< char
< key[MaxTextExtent];
<
< (void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
< if ((LocaleCompare(key,"version") == 0) ||
< (LocaleCompare(key,"profile") == 0) ||
< (LocaleCompare(key,"width") == 0))
< (void) FormatLocaleString(key,MaxTextExtent,"png:%s",
< text[i].key);
< (void) SetImageProperty(image,key,value);
< }
---
> (void) SetImageProperty(image,text[i].key,value);
Add an entry to the changelog to get a different version for your package:
dch --newversion 8:6.9.7.4+dfsg-16ubuntu6.14.1
You can e.g. use this text for the Changelog entry:
imagemagick (8:6.9.7.4+dfsg-16ubuntu6.14.1) UNRELEASED; urgency=medium
* SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)
* Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe
-- YOUR NAME <YOUR@EMAIL-ADDRESS> Sun, 05 Feb 2023 13:23:30 +0100
Build your package:
dpkg-buildpackage --jobs=8 -rfakeroot -b
After that you can install your updated libmagickcore-6.q16-3:
sudo dpkg -i libmagickcore-6.q16-3_6.9.7.4+dfsg-16ubuntu6.14.1_amd64.deb