VDB
KO
MEDIUM 5.9

GHSA-xwc6-v6g8-pw2h

ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access

Details

The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams:

```xml <policy domain="path" rights="none" pattern="-"/> ```

However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”.

To resolve this, users can add the following change to their security policy.

```xml <policy domain="path" rights="none" pattern="fd:*"/> ```

And this will also be included in ImageMagick's more secure policies by default.

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / Magick.NET-Q16-AnyCPU
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-AnyCPU --version 14.10.3
NuGet / Magick.NET-Q16-HDRI-AnyCPU
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-HDRI-AnyCPU --version 14.10.3
NuGet / Magick.NET-Q16-HDRI-OpenMP-arm64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-HDRI-OpenMP-arm64 --version 14.10.3
NuGet / Magick.NET-Q16-HDRI-arm64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-HDRI-arm64 --version 14.10.3
NuGet / Magick.NET-Q16-HDRI-x64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-HDRI-x64 --version 14.10.3
NuGet / Magick.NET-Q16-HDRI-x86
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-HDRI-x86 --version 14.10.3
NuGet / Magick.NET-Q16-OpenMP-arm64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-OpenMP-arm64 --version 14.10.3
NuGet / Magick.NET-Q16-OpenMP-x64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-OpenMP-x64 --version 14.10.3
NuGet / Magick.NET-Q16-OpenMP-x86
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-OpenMP-x86 --version 14.10.3
NuGet / Magick.NET-Q16-arm64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-arm64 --version 14.10.3
NuGet / Magick.NET-Q16-x64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q16-x64 --version 14.10.3
NuGet / Magick.NET-QMagick.NET-Q16-x8616-x64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-QMagick.NET-Q16-x8616-x64 --version 14.10.3
NuGet / Magick.NET-Q8-AnyCPU
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q8-AnyCPU --version 14.10.3
NuGet / Magick.NET-Q8-OpenMP-arm64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q8-OpenMP-arm64 --version 14.10.3
NuGet / Magick.NET-Q8-OpenMP-x64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q8-OpenMP-x64 --version 14.10.3
NuGet / Magick.NET-Q8-arm64
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q8-arm64 --version 14.10.3
NuGet / Magick.NET-Q8-x86
Introduced in: 0 Fixed in: 14.10.3
Fix dotnet add package Magick.NET-Q8-x86 --version 14.10.3

References