In the package imagemagick , which is often used by Web developers to convert images, revealed vulnerability CVE-2022-44268 , which can lead to a leakage of the contents of the files in case of transformation using ImageMagick prepared by attacking PNG images. Vulnerability threatens the systems that process external images and then make it possible to load the results of the transformation.
Vulnerability is caused by the fact that when processing the PNG imagemagick, it uses the contents of the “Profile” parameter from the metadata block to determine the file name with the profile, which is included in the resulting file. Thus, for the attack, it is enough to add the “Profile” parameter to the PNG image with the necessary file route (for example, “/etc/passwd”) and when processing a similar image, for example, when the picture resolution changes, the output file will be turned on the contents of the required file . If you specify “-” instead of the name of the file, then the processor will hang in anticipation of input from the standard flow, which can be used to carry out the service of maintenance (CVE-2022-44267).
The update with the correction of vulnerability has not yet been released, but the developers of Imagemagick recommended as a roundabout to block leakage to create in settings rule , limiting access to certain file routes. For example, to ban access on absolute and relative ways in Policy.xml, you can add:
Openly, already a script to form the vulnerability of PNG images.
