Skip to content

Possible Security Issue when Configuring the ImageMagick Security Policy

moderate
dlemstra published GHSA-qvhr-jj4p-j2qr Sep 13, 2021

Package

ImageMagick (App)

Affected versions

< 7.1.0-7; < 6.9.12-22

Patched versions

7.1.0-7; 6.9.12-22

Description

Impact

In certain cases, Postscript files could be read and written when specifically excluded by a module policy in policy.xml:

<policy domain="module" rights="none" pattern="PS" />

Patches

The issue has been resolved in ImageMagick 7.1.0-7 and 6.9.12-22.

Workarounds

Fortunately, in the wild, few users utilize the module policy and instead use the coder policy that is also our workaround recommendation:

<policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />

For more information

If you have any questions or comments about this advisory:

CVE ID

CVE-2021-39212