Defect #26051

Please correct the vulnerability of imagemagick(CVE-2017-9098)

Added by Sahya Norn about 3 years ago. Updated about 3 years ago.

Status:ClosedStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution:Wont fix Affected version:

Description

Please correct the vulnerability of imagemagick(CVE-2017-9098)

https://access.redhat.com/security/cve/cve-2017-9098

History

#1 Updated by Toshi MARUYAMA about 3 years ago

How do you think we should do?

#2 Updated by Go MAEDA about 3 years ago

Sahya, thank you for reporting this issue so quickly.

I think that Redmine 3.3.2 / 3.2.5 (released on 2017-01-07) and later are not affected with the vulnerability because they don't process Utah RLE images. By the change introduced in r16092, Redmine don't make ImageMagick process a image if the image format is not BMP, GIF, JPEG and PNG. But older versions of Redmine are vulnerable.

#3 Updated by Toshi MARUYAMA about 3 years ago

On my CentOS7.

$ wget https://downloads.sourceforge.net/project/utahrastertoolkit/urt-img.tar
$ tar xf urt-img.tar
$ LC_ALL=C file img/christmas_ball.rle 
img/christmas_ball.rle: RLE image data, 400 x 400, clear first, alpha channel, comment, 3 color channels, 8 bits per pixel
$ sudo mv /usr/lib64/ImageMagick-6.7.8/modules-Q16/coders/rle.so /usr/lib64/ImageMagick-6.7.8/modules-Q16/coders/rle.so.CVE-2017-9098
$ convert img/christmas_ball.rle img/christmas_ball.png
convert: unable to load module `/usr/lib64/ImageMagick-6.7.8/modules-Q16/coders/rle.la': file not found @ error/module.c/OpenModule/1278.
convert: no decode delegate for this image format `img/christmas_ball.rle' @ error/constitute.c/ReadImage/544.
convert: no images defined `img/christmas_ball.png' @ error/convert.c/ConvertImageCommand/3046.
$ echo $?
1
$ LC_ALL=C ls img/christmas_ball.png
ls: cannot access img/christmas_ball.png: No such file or directory

#4 Updated by Sahya Norn about 3 years ago

Toshi MARUYAMA wrote:
How do you think we should do?

I think severity level of the vulnerability is high.
And any website is fixed.
I remember that Redmine use imagemagick.
So I reported this issue.

#5 Updated by Go MAEDA about 3 years ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

I think we can close this issue because current versions of Redmine (3.3.2 / 3.2.5 and later) don't treat Utah RLE files as images (r16092), therefore, they are not affected with the vulnerability.

Sahya, thank you for letting us know this serious vulnerability.

Also available in: Atom PDF