From original submitter:
Hello,
When using ImageMagick via the command line as an image scaler, the
"-thumbnail" argument that MediaWiki supplies as part of the command line
causes ImageMagick to embed "freedesktop.org Thumbnail Managing Standard"
metadata into the output image. Such metadata includes the local file path,
which exposes potentially sensitive information about the installation via
public access to the thumbnailed image.
Example metadata in an affected image: http://i.imgur.com/pAq7QBU.png
Tested on MW 1.22.5, code in git HEAD looked no different.
Imagemagick version: ImageMagick 6.8.9-9 Q16 x86_64 2015-01-05
http://www.imagemagick.org
As another negative side effect, this amount of metadata makes up a large
part of the file size on smaller images, which can waste of bandwidth.
Regards,
Richard Stanway
Admin - teamliquid.net
patch:
- 1.26 - same as master ( )
- 1.25 - same as master ( )
- 1.24 - same as master ( )
- 1.23 - same as master ( )
affected versions:
type: CWE-201
CVE: CVE-2015-8005