CVE-2024-41817
Description
ImageMagick is a free and open-source software suite, used for editing and manipulating digital images. The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. The vulnerability is fixed in 7.11-36.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Immediate: If you must continue using the vulnerable AppImage, wrap invocations to sanitize environment and CWD:
#!/bin/bash
export MAGICK_CONFIGURE_PATH="/etc/ImageMagick-7"
export LD_LIBRARY_PATH="/usr/lib/ImageMagick-7"
cd /var/empty # or another non-writable dir
exec /opt/imagemagick.appimage "$@"Permanent: Migrate to your distribution's native package (apt install imagemagick, yum install ImageMagick) or upgrade AppImage to ≥7.1.1-36.
Rollback: Remove the wrapper script; original AppImage behavior resumes (vulnerable).
Verification: strings imagemagick.appimage | grep -E 'MAGICK_CONFIGURE_PATH|LD_LIBRARY_PATH' should not show empty path components (::)
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| — | Affected | — |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0 |
| sid | Fixed | 0 |
| forky | Fixed | 0 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 0 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.