CVE-2020-29599

Vulnerability

ImageMagick before version 6.9.11-40 and 7.x before version 7.0.10-40 contains a vulnerability in the -authenticate option used for setting a password for password-protected PDF files. The user-supplied password is not properly escaped or sanitized in coders/pdf.c, allowing injection of arbitrary shell commands into the external command invoked by ImageMagick when processing such PDF files[1][3].

Exploitation

An attacker can exploit this vulnerability by crafting a PDF file with a malicious password and enticing a user to open it with ImageMagick using the -authenticate option. The attacker does not need prior authentication or special privileges; they only need to convince the victim to process the file (e.g., via email or web download). The injected shell commands are executed within the context of the image conversion process, which typically uses external programs like Ghostscript to handle PDF files[1][2].

Impact

Successful exploitation allows arbitrary command execution with the privileges of the user running ImageMagick. This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or denial of service. The vulnerability affects both ImageMagick 6.x and 7.x series[1][2].

Mitigation

The vulnerability has been patched in ImageMagick version 6.9.11-40 and 7.0.10-40. Users should upgrade to these versions or later. Gentoo Linux has released updated packages (>=media-gfx/imagemagick-6.9.11.41-r1 for ImageMagick 6 and >=media-gfx/imagemagick-7.0.10.41-r1 for ImageMagick 7). As a workaround, users should avoid processing untrusted PDF files with the -authenticate option until patched[1][2][3].