Page MenuHomePhabricator
Create Task
Maniphest T108616

Local path disclosure when using ImageMagick as a scaler
Closed, ResolvedPublic
Actions

Description

From original submitter:

Hello,
When using ImageMagick via the command line as an image scaler, the
"-thumbnail" argument that MediaWiki supplies as part of the command line
causes ImageMagick to embed "freedesktop.org Thumbnail Managing Standard"
metadata into the output image. Such metadata includes the local file path,
which exposes potentially sensitive information about the installation via
public access to the thumbnailed image.

Example metadata in an affected image: http://i.imgur.com/pAq7QBU.png

Tested on MW 1.22.5, code in git HEAD looked no different.

Imagemagick version: ImageMagick 6.8.9-9 Q16 x86_64 2015-01-05
http://www.imagemagick.org

As another negative side effect, this amount of metadata makes up a large
part of the file size on smaller images, which can waste of bandwidth.

Regards,

Richard Stanway
Admin - teamliquid.net

patch:

T108616_00.patch929 BDownload

  • 1.26 - same as master (
    T108616_00.patch929 BDownload
    )
  • 1.25 - same as master (
    T108616_00.patch929 BDownload
    )
  • 1.24 - same as master (
    T108616_00.patch929 BDownload
    )
  • 1.23 - same as master (
    T108616_00.patch929 BDownload
    )

affected versions:
type: CWE-201
CVE: CVE-2015-8005

Details

SubjectRepoBranchLines +/-
Avoid exposure of local path in PNG thumbnailsmediawiki/coremaster+2 -0
Avoid exposure of local path in PNG thumbnailsmediawiki/coreREL1_26+2 -0
Avoid exposure of local path in PNG thumbnailsmediawiki/coreREL1_24+2 -0
Avoid exposure of local path in PNG thumbnailsmediawiki/coreREL1_23+2 -0
Avoid exposure of local path in PNG thumbnailsmediawiki/coreREL1_25+2 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

dpatrick created this task.Aug 10 2015, 6:59 PM
dpatrick raised the priority of this task from to Medium.
dpatrick updated the task description. (Show Details)
dpatrick added projects: Vuln-Infoleak, acl*security.
dpatrick changed the visibility from "Public (No Login Required)" to "Custom Policy".
dpatrick changed the edit policy from "All Users" to "Custom Policy".
dpatrick changed Security from None to Software security bug.
dpatrick subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 10 2015, 6:59 PM
dpatrick added a subscriber: csteipp.Aug 10 2015, 6:59 PM
dpatrick claimed this task.Aug 10 2015, 7:09 PM
dpatrick added a comment.Aug 10 2015, 7:14 PM

Related to T100546

dpatrick added a comment.EditedAug 10 2015, 7:43 PM

Verified to affect HEAD, and PNG files only.

dpatrick added a subscriber: Bawolff.Aug 10 2015, 9:00 PM
dpatrick added a comment.Aug 10 2015, 9:03 PM

@Bawolff, it looks like this will require an upstream change in ImageMagick, adding a command line parameter to the convert utility to disable creation of thumbnail spec metadata. Any other ideas? Perhaps stripping the metadata in Bitmap.php just after invocation of convert?

dpatrick added a subscriber: R1CH.Aug 11 2015, 6:47 PM
Bawolff added a comment.Aug 12 2015, 9:32 AM

Hmm, I think there might be another bug filed about this somewhere... not sure.

Anyways, I believe we can use the command line argument

+set 'Thumb::URI'

To get rid of the metadata parameter.

Bawolff added a subscriber: Gilles.Aug 12 2015, 9:33 AM
dpatrick added a comment.Aug 12 2015, 4:20 PM

Thanks @Bawolff. I missed that parameter in my read of the docs. I just tested that and it works. I'll put together a patch.

dpatrick added a project: Security-Team.Aug 12 2015, 4:22 PM
dpatrick moved this task from Incoming to In Progress on the Security-Team board.
dpatrick added a parent task: T108064: MediaWiki Security release 1.25.3.
dpatrick added a comment.Aug 12 2015, 10:59 PM

Here a patch that addresses this issue. @Bawolff, please take a look:

T108616_00.patch929 BDownload

dpatrick moved this task from In Progress to Waiting on the Security-Team board.Aug 12 2015, 11:43 PM
csteipp added a comment.Aug 13 2015, 5:00 PM

Fix looks good to me. I'm also not seeing any other extensions that add -thumbnail to $wgImageMagickConvertCommand.

Unless @Bawolff sees any issues, I think this is ready to deploy.

dpatrick added a comment.Aug 21 2015, 5:44 AM

@Bawolff, any qualms?

csteipp closed this task as Resolved.Sep 9 2015, 10:13 PM
csteipp mentioned this in T91850: No rate limits on uploading files.

Deployed yesterday

(2015-09-08) 21:02 csteipp: deployed patches for T108616 T91850 T91205 to wmf21 & 22

csteipp mentioned this in T91205: ApiUpload needs sanity check on chunk size.Sep 9 2015, 10:14 PM
Bawolff added a comment.Sep 14 2015, 5:10 PM
In T108616#1559798, @dpatrick wrote:

@Bawolff, any qualms?

Sorry for not responding. Some days I get a lot of bugspam, and end up not reading a bunch of my phabricator mail and missing things.

Patch looks fine. We may want to get rid of the other thumb metadata (since its pretty useless), or perhaps make the Thumb::URI point to the actual public url of the original image. But those are non-security issues and can wait for later

Bawolff mentioned this in T113136: Imagemagick should use "-strip".Sep 19 2015, 8:10 PM
csteipp moved this task from Waiting to Our Part Is Done on the Security-Team board.Oct 13 2015, 11:55 PM
csteipp added a subscriber: Grunny.Oct 16 2015, 3:04 PM
csteipp added a subscriber: ProgramCeltic.Oct 16 2015, 4:09 PM
csteipp added a subscriber: Ejegg.Oct 16 2015, 4:38 PM
csteipp updated the task description. (Show Details)Oct 16 2015, 4:43 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 16 2015, 6:12 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
gerritbot subscribed.Oct 16 2015, 6:19 PM

Change 246871 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246871

gerritbot added a project: Patch-For-Review.Oct 16 2015, 6:19 PM

Change 246876 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246876

gerritbot added a comment.Oct 16 2015, 6:20 PM

Change 246881 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246881

gerritbot added a comment.Oct 16 2015, 6:24 PM

Change 246887 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246887

gerritbot added a comment.Oct 16 2015, 7:03 PM

Change 246871 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246871

gerritbot added a comment.Oct 16 2015, 7:58 PM

Change 246876 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246876

gerritbot added a comment.Oct 16 2015, 7:58 PM

Change 246881 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246881

ReleaseTaggerBot added projects: MW-1.25-release, MW-1.24-release, MW-1.23-release.Oct 16 2015, 8:00 PM
gerritbot added a comment.Oct 16 2015, 8:56 PM

Change 246976 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246976

gerritbot added a comment.Oct 16 2015, 9:26 PM

Change 246976 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246976

ReleaseTaggerBot added a project: MW-1.26-release.Oct 16 2015, 10:00 PM
Ricordisamoa subscribed.Oct 16 2015, 11:00 PM
gerritbot added a comment.Oct 16 2015, 11:53 PM

Change 246887 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246887

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2015-10-27_(1.27.0-wmf.4)).Oct 17 2015, 12:00 AM
Bawolff added a comment.Oct 17 2015, 2:27 PM

There has been a report on irc that this patch is incompatible with graphickmagick when using it as the image scalar instead of imagemagick.

dpatrick added a comment.EditedOct 17 2015, 10:21 PM

@Bawolff Do you have any more information on the specific problem or error message that the reporter encountered? Documentation for GraphicsMagick indicates that [[http://www.graphicsmagick.org/GraphicsMagick.html#details+set|+set is supported]].

Bawolff added a comment.Oct 18 2015, 12:23 AM

They said an old version. I dont think very many people use gm. Its in the log file for MediaWiki-General for oct 17.

Bawolff added a comment.Oct 18 2015, 12:24 AM

I wrote the comment just to note it for the record. Im not sure we really need to do something about it.

Alexia subscribed.Oct 19 2015, 6:06 PM

I investigated the GraphicsMagick issue. At some point they merged in the "+set Thumb::URI" fix/feature, but I can not find it in their change logs. The recommendation I have is for people using it to make sure they are running the latest version.

csteipp updated the task description. (Show Details)Nov 3 2015, 9:15 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits