Local path disclosure when using ImageMagick as a scaler
Closed, ResolvedPublic

Description

From original submitter:

Hello,
When using ImageMagick via the command line as an image scaler, the
"-thumbnail" argument that MediaWiki supplies as part of the command line
causes ImageMagick to embed "freedesktop.org Thumbnail Managing Standard"
metadata into the output image. Such metadata includes the local file path,
which exposes potentially sensitive information about the installation via
public access to the thumbnailed image.

Example metadata in an affected image: http://i.imgur.com/pAq7QBU.png

Tested on MW 1.22.5, code in git HEAD looked no different.

Imagemagick version: ImageMagick 6.8.9-9 Q16 x86_64 2015-01-05
http://www.imagemagick.org

As another negative side effect, this amount of metadata makes up a large
part of the file size on smaller images, which can waste of bandwidth.

Regards,

Richard Stanway
Admin - teamliquid.net


patch:

  • 1.26 - same as master ()
  • 1.25 - same as master ()
  • 1.24 - same as master ()
  • 1.23 - same as master ()

affected versions:
type: CWE-201
CVE: CVE-2015-8005

dpatrick created this task.Aug 10 2015, 6:59 PM
dpatrick added projects: Vuln-Infoleak, Security.
dpatrick changed the visibility from "Public (No Login Required)" to "Custom Policy".
dpatrick changed the edit policy from "All Users" to "Custom Policy".
dpatrick changed Security from None to Software security bug.
dpatrick added a subscriber: dpatrick.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 10 2015, 6:59 PM
dpatrick claimed this task.Aug 10 2015, 7:09 PM
dpatrick added a comment.EditedAug 10 2015, 7:43 PM

Verified to affect HEAD, and PNG files only.

@Bawolff, it looks like this will require an upstream change in ImageMagick, adding a command line parameter to the convert utility to disable creation of thumbnail spec metadata. Any other ideas? Perhaps stripping the metadata in Bitmap.php just after invocation of convert?

dpatrick added a subscriber: R1CH.Aug 11 2015, 6:47 PM

Hmm, I think there might be another bug filed about this somewhere... not sure.

Anyways, I believe we can use the command line argument

+set 'Thumb::URI'

To get rid of the metadata parameter.

Bawolff added a subscriber: Gilles.Aug 12 2015, 9:33 AM

Thanks @Bawolff. I missed that parameter in my read of the docs. I just tested that and it works. I'll put together a patch.

Here a patch that addresses this issue. @Bawolff, please take a look:

dpatrick moved this task from In Progress to Waiting on the Security-Team board.Aug 12 2015, 11:43 PM

Fix looks good to me. I'm also not seeing any other extensions that add -thumbnail to $wgImageMagickConvertCommand.

Unless @Bawolff sees any issues, I think this is ready to deploy.

csteipp closed this task as "Resolved".

Deployed yesterday

(2015-09-08) 21:02 csteipp: deployed patches for T108616 T91850 T91205 to wmf21 & 22

@Bawolff, any qualms?

Sorry for not responding. Some days I get a lot of bugspam, and end up not reading a bunch of my phabricator mail and missing things.

Patch looks fine. We may want to get rid of the other thumb metadata (since its pretty useless), or perhaps make the Thumb::URI point to the actual public url of the original image. But those are non-security issues and can wait for later

csteipp moved this task from Waiting to Done on the Security-Team board.Oct 13 2015, 11:55 PM
csteipp added a subscriber: Grunny.Oct 16 2015, 3:04 PM
csteipp added a subscriber: Ejegg.Oct 16 2015, 4:38 PM
csteipp edited the task description. (Show Details)Oct 16 2015, 4:43 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 16 2015, 6:12 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.

Change 246871 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246871

Change 246876 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246876

Change 246881 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246881

Change 246887 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246887

Change 246871 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246871

Change 246876 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246876

Change 246881 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246881

Change 246976 had a related patch set uploaded (by Chad):
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246976

Change 246976 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246976

Change 246887 merged by jenkins-bot:
Avoid exposure of local path in PNG thumbnails

https://gerrit.wikimedia.org/r/246887

There has been a report on irc that this patch is incompatible with graphickmagick when using it as the image scalar instead of imagemagick.

dpatrick added a comment.EditedOct 17 2015, 10:21 PM

@Bawolff Do you have any more information on the specific problem or error message that the reporter encountered? Documentation for GraphicsMagick indicates that +set is supported.

They said an old version. I dont think very many people use gm. Its in the log file for #mediawiki for oct 17.

I wrote the comment just to note it for the record. Im not sure we really need to do something about it.

Alexia added a subscriber: Alexia.Oct 19 2015, 6:06 PM

I investigated the GraphicsMagick issue. At some point they merged in the "+set Thumb::URI" fix/feature, but I can not find it in their change logs. The recommendation I have is for people using it to make sure they are running the latest version.

csteipp edited the task description. (Show Details)Nov 3 2015, 9:15 PM