CVE-2024-41817
Description
ImageMagick is a free and open-source software suite, used for editing and manipulating digital images. The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. The vulnerability is fixed in 7.11-36.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Immediate: If you must continue using the vulnerable AppImage, wrap invocations to sanitize environment and CWD:
#!/bin/bash
export MAGICK_CONFIGURE_PATH="/etc/ImageMagick-7"
export LD_LIBRARY_PATH="/usr/lib/ImageMagick-7"
cd /var/empty # or another non-writable dir
exec /opt/imagemagick.appimage "$@"Permanent: Migrate to your distribution's native package (apt install imagemagick, yum install ImageMagick) or upgrade AppImage to โฅ7.1.1-36.
Rollback: Remove the wrapper script; original AppImage behavior resumes (vulnerable).
Verification: strings imagemagick.appimage | grep -E 'MAGICK_CONFIGURE_PATH|LD_LIBRARY_PATH' should not show empty path components (::)
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.