Okay, this needs immediate reverting, Paulo - CVE-2022-44267_44268-2.patch (or -3.patch for jammy) removes any access to /etc/, so ImageMagick can't even load it's own /etc/ImageMagick/type-ghostscript.xml for GS font usage anymore!
This "mitigation" should not have been added. My PoC PNG file exfiltrated /etc/hosts, but it could just as well have been /var/log/syslog, or /usr/local/foobar/etc/secretfile, or /proc/1/environ. There is no point in trying to address this via a policy file. The fix must be in code, and it is, so this policy file change can be removed again.
I am attaching corrected and cleaned up patches for focal and jammy, split into two parts the way I initially proposed.
(Your focal patch files are named ..._1.patch and ...-2.patch, FYI).
Okay, this needs immediate reverting, Paulo - CVE-2022- 44267_44268- 2.patch (or -3.patch for jammy) removes any access to /etc/, so ImageMagick can't even load it's own /etc/ImageMagic k/type- ghostscript. xml for GS font usage anymore!
See bug https:/ /bugs.launchpad .net/ubuntu/ +source/ imagemagick/ +bug/2012684
This "mitigation" should not have been added. My PoC PNG file exfiltrated /etc/hosts, but it could just as well have been /var/log/syslog, or /usr/local/ foobar/ etc/secretfile, or /proc/1/environ. There is no point in trying to address this via a policy file. The fix must be in code, and it is, so this policy file change can be removed again.
I am attaching corrected and cleaned up patches for focal and jammy, split into two parts the way I initially proposed.
(Your focal patch files are named ..._1.patch and ...-2.patch, FYI).