Ubuntu.comUB:CVE-2021-39212CVE-2021-39212
3.6 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
26.8%
ImageMagick is free software delivered as a ready-to-run binary
distribution or as source code that you may use, copy, modify, and
distribute in both open and proprietary applications. In affected versions
and in certain cases, Postscript files could be read and written when
specifically excluded by a module policy in policy.xml. ex. <policy
domain=“module” rights=“none” pattern=“PS” />. The issue has been resolved
in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few
users utilize the module policy and instead use the coder policy that
is also our workaround recommendation: <policy domain=“coder” rights=“none”
pattern=“{PS,EPI,EPS,EPSF,EPSI}” />.
Notes
| Author | Note |
|---|---|
| rayveldkamp | imagemagick is in universe from focal onwards |
| mdeslaur | packages in Ubuntu use the coder policy to exclude postscript files, not the module policy |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 20.04 | noarch | imagemagick | < 8:6.9.10.23+dfsg-2.1ubuntu11.9 | UNKNOWN |
| ubuntu | 22.04 | noarch | imagemagick | < 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+esm1 | UNKNOWN |
| ubuntu | 22.10 | noarch | imagemagick | < 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1 | UNKNOWN |
| ubuntu | 23.04 | noarch | imagemagick | < 8:6.9.11.60+dfsg-1.3ubuntu1 | UNKNOWN |
| ubuntu | 23.10 | noarch | imagemagick | < 8:6.9.11.60+dfsg-1.3ubuntu1 | UNKNOWN |
References
github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
launchpad.net/bugs/cve/CVE-2021-39212
nvd.nist.gov/vuln/detail/CVE-2021-39212
security-tracker.debian.org/tracker/CVE-2021-39212
ubuntu.com/security/notices/USN-5736-1
ubuntu.com/security/notices/USN-5736-2
ubuntu.com/security/notices/USN-6200-1
www.cve.org/CVERecord?id=CVE-2021-39212
Related
3.6 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
26.8%