New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specially crafted SVG hangs ImageMagick forever, possible to leverage DoS #4626
Comments
I can't reproduce the problem with IM v7.0.8-4. Which delegate are you using? For me, Inkscape refuses to open the SVG. MSVG and RSVG return quickly, with a white image. Does limiting resources (such as time) cure the problem for you? |
I'm using the default delegate.xml shipped on the latest Ubuntu stable release on 20.04.3 x86_64. delegate.xml
Convert hangs forever somewhere here.
content of the temporary file generated.
These commands run forever and never exits by itself, so I think there needs to be some kind of alarm or timeouts when opening the file, if checking fd is difficult in this case |
Try installing Inkscape. IM should use that and it is better. |
I already have inkscape installed on my PC.
Note: It still causes an issue regardless of whether inkscape is installed or not. |
I built the latest version of ImageMagick (ImageMagick 7.1.0-18) from sources and found that it's still reproducible on the latest versions, although the payload needs to be changed a little bit.
modified <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
<image href="/dev/stdin" />
<svg width="1024px" height="1024px" />
</svg> Test without inkscape (Hangs)
Perhaps you don't need inkscape to convert a SVG file either.
Test with inkscape (does not seem to hang this time)
Tested on Ubuntu 21.04
ImageMagick configure
|
As mentioned earlier, the default package without |
As I asked above: Does limiting resources (such as time) cure the problem for you? |
Thanks for the problem report. We can reproduce it and will have a patch to fix it in the GIT main branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://imagemagick.org/download/beta/ by sometime tomorrow. |
Yes. It should help but to a some certain extent. There are some rare cases where The best way would be to detect |
Tested ImageMagick 7.1.0-20 on Ubuntu 21.04. $ convert -version
Version: ImageMagick 7.1.0-20 Q16-HDRI x86_64 2021-12-22 https://imagemagick.org
Copyright: (C) 1999-2021 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jp2 jpeg lcms lqr lzma openexr png tiff x xml zlib
Compiler: gcc (10.3)
$ convert -verbose attack.svg attack.png
'inkscape' '/tmp/magick-twCAk57ZWHyxKT5NSfJ4omkgtAHSiYvR' --export-filename='/tmp/magick-nuV9Vh_kdAhYKjqDQIHlWtzxL6szOlVH.png' --export-dpi='96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='0.99999999999900002212' > '/tmp/magick-irpVl0ub-PruzN6c-AS1jrblDa4mryCq' 2>&1
mvg:/tmp/magick-Clqs67jnm-4NnaGBz4D4eRcgBemmcqCH=>/tmp/magick-Clqs67jnm-4NnaGBz4D4eRcgBemmcqCH MVG 100x100 100x100+0+0 16-bit sRGB 470B 0.000u 0:00.004
attack.svg SVG 100x100 100x100+0+0 16-bit sRGB 470B 0.000u 0:00.000
attack.svg=>attack.png SVG 100x100 100x100+0+0 16-bit sRGB 470B 0.000u 0:00.001
convert: no decode delegate for this image format `' @ error/constitute.c/ReadImage/572.
convert: non-conforming drawing primitive definition `image' @ error/draw.c/RenderMVGContent/4465. |
https://build.opensuse.org/request/show/943529 by user pgajdos + dimstar_suse - update to 7.1.0.19: * support -integral option. * possible DoS for certain SVG constructs (reference ImageMagick/ImageMagick#4626). - update to 7.1.0.18: * support face index for font collections, e.g. msgothic.ttc[1]. * Improved adjustment of page offset when resizing an image. (forwarded request 943180 from dirkmueller)
2021-12-22 7.1.0-19 <quetzlzacatenango@image...> * Release ImageMagick version 7.1.0-19 GIT revision 19456:d7f1b2b9b:20211222 2021-12-22 7.1.0-19 <quetzlzacatenango@image...> * support -integral option. * possible DoS for certain SVG constructs (reference ImageMagick/ImageMagick#4626). 2021-12-18 7.1.0-18 <quetzlzacatenango@image...> * Release ImageMagick version 7.1.0-18 GIT revision 19447:6c7d62f7d:20211218 2021-12-11 7.1.0-18 <quetzlzacatenango@image...> * support face index for font collections, e.g. msgothic.ttc[1]. 2021-12-11 7.1.0-18 Dirk Lemstra <dirk@lem.....org> * Improved adjustment of page offset when resizing an image.
CVE-2021-4219 was assigned to this issue. |
Tested ImageMagick version
6.9.10-23, 7.1.0-18
Fixed Versions
6.9.12-34, 7.1.0-19
Operating system
Linux
Operating system, version and so on
Ubuntu 20.04.3 LTS / Ubuntu 21.04
Description
Specially crafted SVG file that opens
/proc/self/fd/1
or/dev/stdin
results in a hang with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file.There seems to be a lot of websites affected by this bug and causes a complete hang by uploading this PoC file to the server.
I think it should be better to check the file descriptor coming from
/proc
and/dev
beforeread()
is done.Steps to Reproduce
The text was updated successfully, but these errors were encountered: