Claus-Theodor Riegg
1 year
Moritz Kraus
1 year
Claus-Theodor Riegg
1 year
Stefan Xenopol
1 year

Fix Imagemagick CVE-2022-44268 in Ubuntu packages

Posted . Visible to the public.

A severe bug Show archive.org snapshot was found in ImageMagick by Bryan Gonzalez from Ocelot Team.
It allows to embed the content of an arbitrary remote file when ImageMagick parses PNG files.
We found lots of older versions of ImageMagick to be vulnerable.

So far there is no information on updated Packages for Ubuntu ( https://ubuntu.com/security/CVE-2022-44268 Show archive.org snapshot ).

Due to that we patched our systems as follows:

Ubuntu 22.04:

Get package source on a Ubuntu 22.04 system:

apt-get source imagemagick
cd imagemagick-6.9.11.60+dfsg/

Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:

vi coders/png.c

This is the diff we used:

>diff coders/png.c /tmp/source/imagemagick-6.9.11.60+dfsg/coders/png.c
3795d3794                                                                                                                      
<                   (LocaleCompare(key,"profile") == 0) || 

Add an entry to the changelog to get a different version for your package:

dch --newversion 8:6.9.11.60+dfsg-1.3build2.1

You can e.g. use this text for the Changelog entry:

imagemagick (8:6.9.11.60+dfsg-1.3build2.1) UNRELEASED; urgency=medium                                                      
                                                                                                                               
  * SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)                                                             
  * Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe              
                                                                                                                               
 -- YOUR NAME <YOUR@EMAIL-ADDRESS>  Sun, 05 Feb 2023 13:23:30 +0100

Build your package:

dpkg-buildpackage --jobs=8 -rfakeroot -b

After that you can install your updated libmagickcore-6.q16-6:

sudo dpkg -i libmagickcore-6.q16-6_6.9.11.60+dfsg-1.3build2.1_amd64.de

Ubuntu 20.04:

Get package source on a Ubuntu 20.04 system:

apt-get source imagemagick
cd imagemagick-6.9.10.23+dfsg/

Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:

vi coders/png.c

This is the diff we used:

>diff coders/png.c /tmp/source/imagemagick-6.9.10.23+dfsg/coders/png.c
3784,3795c3784
<               {
<                 char
<                   key[MaxTextExtent];
<
<                 (void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
<                 if ((LocaleCompare(key,"version") == 0) ||
<                     (LocaleCompare(key,"profile") == 0) ||
<                     (LocaleCompare(key,"width") == 0))
<                   (void) FormatLocaleString(key,MagickPathExtent,"png:%s",
<                     text[i].key);
<                 (void) SetImageProperty(image,key,value);
<               }
---
>                (void) SetImageProperty(image,text[i].key,value);

Add an entry to the changelog to get a different version for your package:

dch --newversion 8:6.9.10.23+dfsg-2.1ubuntu11.4.1

You can e.g. use this text for the Changelog entry:

imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.4.1) UNRELEASED; urgency=medium                                                      
                                                                                                                               
  * SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)                                                             
  * Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe              
                                                                                                                               
 -- YOUR NAME <YOUR@EMAIL-ADDRESS>  Sun, 05 Feb 2023 13:23:30 +0100

Build your package:

dpkg-buildpackage --jobs=8 -rfakeroot -b

After that you can install your updated libmagickcore-6.q16-6:

sudo dpkg -i libmagickcore-6.q16-6_6.9.10.23+dfsg-2.1ubuntu11.4.1_amd64.deb

Ubuntu 18.04:

Get package source on a Ubuntu 18.04 system:

apt-get source imagemagick
cd imagemagick-6.9.7.4+dfsg/

Apply the patch Show archive.org snapshot with additional code which wasn't backported to the ubuntu version yet:

vi coders/png.c

This is the diff we used:

# diff imagemagick-6.9.7.4+dfsg/coders/png.c ~/source/imagemagick-6.9.7.4+dfsg/coders/png.c 
3658,3669c3658
<           {
<               char
<                 key[MaxTextExtent];
< 
<             (void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
<             if ((LocaleCompare(key,"version") == 0) ||
<                 (LocaleCompare(key,"profile") == 0) ||
<                 (LocaleCompare(key,"width") == 0))
<               (void) FormatLocaleString(key,MaxTextExtent,"png:%s",
<                 text[i].key);
<             (void) SetImageProperty(image,key,value);
<           }
---
>                (void) SetImageProperty(image,text[i].key,value);

Add an entry to the changelog to get a different version for your package:

dch --newversion 8:6.9.7.4+dfsg-16ubuntu6.14.1

You can e.g. use this text for the Changelog entry:

imagemagick (8:6.9.7.4+dfsg-16ubuntu6.14.1) UNRELEASED; urgency=medium                                                      
                                                                                                                               
  * SECURITY UPDATE: possible arbitrary file leak (CVE-2022-44268)                                                             
  * Backport upstream https://github.com/ImageMagick/ImageMagick6/commit/3c5188b41902a909e163492fb0c19e49efefcefe              
                                                                                                                               
 -- YOUR NAME <YOUR@EMAIL-ADDRESS>  Sun, 05 Feb 2023 13:23:30 +0100

Build your package:

dpkg-buildpackage --jobs=8 -rfakeroot -b

After that you can install your updated libmagickcore-6.q16-3:

sudo dpkg -i libmagickcore-6.q16-3_6.9.7.4+dfsg-16ubuntu6.14.1_amd64.deb
Last edit
Kim Klotz
License
Source code in this card is licensed under the MIT License.