CVE-2021-39212: 
ImageMagick vulnerability analysis and mitigation

ImageMagick, a software suite used for editing and manipulating digital images, was found to have a security vulnerability (CVE-2021-39212) where Postscript files could be read and written when specifically excluded by a module policy in policy.xml. This vulnerability was discovered and disclosed on September 13, 2021, affecting versions prior to ImageMagick 7.1.0-7 and 6.9.12-22 (GitHub Advisory).

The vulnerability stems from incorrect rights handling in the module policy implementation. The issue involved the system using incorrect rights checking, where AllPolicyRights were being used instead of the more restrictive ReadPolicyRights|WritePolicyRights combination. The vulnerability has a CVSS v3.1 score of 4.4 (Low) with Local attack vector, Low attack complexity, Low privileges required, and No user interaction needed (Oracle Bulletin).

The vulnerability could allow unauthorized access to read and write Postscript files that were specifically meant to be restricted by the module policy configuration. This represents a security policy bypass that could potentially expose sensitive information or allow unauthorized file modifications (GitHub Advisory).

The issue has been patched in ImageMagick versions 7.1.0-7 and 6.9.12-22. As a workaround, users are recommended to use the coder policy instead of the module policy, as this is both more common and not affected by this vulnerability. Various Linux distributions have also released patched versions, including Ubuntu and Debian (GitHub Advisory, Ubuntu Security).