CVE-2023-34152: Shell Command Injection Bug Affecting ImageMagick

CVE-2023-34152

In the world of open-source software, ImageMagick has long been revered as a potent tool for raster and vector image manipulation. Its vast array of capabilities—ranging from the display, conversion, and editing of more than 200 image file formats to diverse manipulation operations such as resizing, cropping, and color correction—renders it a formidable asset in the arsenal of graphics-related software. However, recent findings have brought to light a trio of security vulnerabilities that could transform this useful tool into a potential weapon in the hands of malicious entities.

CVE-2023-34152

CVE-2023-34151: Undefined behaviors of casting double to size_t in svg, mvg, and other coders

The first of these insidious security vulnerabilities, identified as CVE-2023-34151, arises from the undefined behavior of casting double to size_t in several coders, including svg and mvg. This subtlety was brought to attention by the intrepid researcher, Fullwaywang, who unearthed similar instances in previous vulnerabilities such as issue #4985, subsequently identified as CVE-2022-32546.

These concerns center around the casting of a width/height value in double to size_t or unsigned long, representing columns/rows number in pixels, and was initially found to affect the PCL format. Despite the application of a PCL-specific fix, Fullwaywang’s meticulous exploration using a CodeQL rule revealed analogous issues in various other readers’ ReadXXXImage functions, illustrating the breadth of this unaddressed vulnerability.

CVE-2023-34152: RCE (shell command injection) vulnerability

The second security vulnerability, labeled CVE-2023-34152, is an ominous manifestation of remote code execution (RCE) vulnerability in OpenBlob when configured with –enable-pipes. This issue, an incomplete fix to CVE-2016-5118, shows that any image file name commencing with a ‘|’ character triggers ImageMagick to popen the remainder of the file name.

While the initial solution to this problem involved adding a configure option –enable-pipes to specifically activate the support of pipes, it was found to be insufficient. The culprit is SanitizeString, which only filters out certain characters, allowing shell command injection through a malformed file name—a perilous vulnerability that necessitates immediate attention.

CVE-2023-34153: Shell command injection vulnerability

The final identified vulnerability, CVE-2023-34153, pertains to shell command injection via video:vsync or video:pixel-format options in VIDEO encoding/decoding. This flaw was exposed while examining the past vulnerabilities in ImageMagick, strikingly reminiscent of CVE-2020-29599.

ImageMagick supports user-defined options video:vsync and video:pixel-format, with their values integrated into a delegate command executed via ExternalDelegateCommand. Although the command string is sanitized with SanitizeString, the illegal char set does not include quot—a flaw identical to that found in sanitizing -authenticate parameter in PDF password support, underlining the need for a comprehensive remediation of this common vulnerability in ExternalDelegateCommand.