Welcome to SparkyLinux forums
Zapraszamy również na polsko-języczne Forum https://forum.linuxiarze.pl

Imagemagick, possible EXPLOIT or is it valid Sparky package?

Started by SparkyBookworm, May 07, 2023, 03:00:19 AM

Previous topic - Next topic

SparkyBookworm

An 'Imagemagick Quantum Depth 16' application appeared out of nowhere on my menu, I did not install this.

I promptly removed it and all related packages about ~4 in total, some of them being 'chafa', "libmagickwand", imagemagick-commons.

Is this package somehow associated with the LibreOffice Suite?

The only reference to this application I can find in the Sparky documentation is here:
https://wiki.sparkylinux.org/doku.php/sparky_multimedia?s

Documentation(s) on the potential exploit:
https://rhinosecuritylabs.com/research/imagemagick-exploit-remediation/
https://listarchives.libreoffice.org/global/users/2016/msg01398.html

More info about Ubuntu's ESM apps (in Ubuntu 'Imagemagick' is considered to be one of these apps):
https://ubuntu.com/security/notices/USN-5855-4
https://askubuntu.com/questions/1452497/what-are-esm-apps-and-how-do-they-relate-to-ubuntu-pro
https://forum.xfce.org/viewtopic.php?pid=71654

Thanks Pavroo!

I downloaded and read through some of the package list plaintext files, here:
https://sparkylinux.org/download/
I quickly scanned the package lists for Openbox stable, rolling and Xfce rolling, CLI rolling... I don't remember seeing Chafa or Imagemagick packages being listed in rolling or stable? I keep a very tight minimal as possible system so I tend to notice packages and read what they do, etc.

Imagemagick appeared on all of my (minimal  as possible Sparky) PCs except one, ironically the PC I experiment on the most (by downloading and removing random packages to see what happens) this testdummy Pc did not end up with Imagemagick installed on it. On this experimental system I also installed Kaisen ('for IT professionals') distro as a virtual machine which really made the Sparky system go awfully haywire such that I had to eventually remove the Kaisen VM as it literally has almost every IT tool installed under the sun, which way too much software for me to handle.

SparkyBookworm

Has anyone else had the application: "Imagemagick Quantum Depth 16" ...show up in their menus & do not remember installing it?

pavroo

It could be installed as a dependency to a new package you have installed or upgraded.
It it not explolit for sure.
Nothing is easy as it looks. Danielle Steel

SparkyBookworm

I think Imagmagick WAS once or still IS a LibreOffice dependency for image to pdf creation, explaining why it was installed.

Since Imagemagick is a standalone application explains why 'sudo apt autoremove' does not remove it.

Why Imagemagick was on all but one of my machines I have not figured out.  Imagemagick looks like a useful terminal application.

Thanks.

View the most recent posts on the forum