Bug#601824: marked as done (imagemagick: reads config files from cwd)

Debian Bug Tracking System Tue, 16 Nov 2010 17:57:17 -0800

Your message dated Wed, 17 Nov 2010 01:55:36 +0000
with message-id <e1pixfi-0008bm...@franck.debian.org>
and subject line Bug#601824: fixed in imagemagick 7:6.3.7.9.dfsg2-1~lenny4
has caused the Debian Bug report #601824,
regarding imagemagick: reads config files from cwd
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
601824: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---
Package: imagemagick
Version: 7:6.3.7.9.dfsg2-1~lenny3
Severity: grave
Tags: security
Justification: user security hole
ImageMagick reads several configuration files[0] from the current working directory. Unfortunately, this allows local attackers to execute arbitrary code if ImageMagick is run from an untrusted directory.
Steps to reproduce this bug:

1. As an attacker, put the attached files in /tmp.
2. As a victim, in /tmp run:

$ convert /path/to/foo.png /path/to/bar.png
All your base are belong to us.
convert: missing an image filename `/path/to/bar.png'.


[0] http://www.imagemagick.org/script/resources.php

--
Jakub Wilk
coder.xml
Description: XML document

delegates.xml
Description: XML document

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: imagemagick
Source-Version: 7:6.3.7.9.dfsg2-1~lenny4

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.3.7.9.dfsg2-1~lenny4.diff.gz
  to main/i/imagemagick/imagemagick_6.3.7.9.dfsg2-1~lenny4.diff.gz
imagemagick_6.3.7.9.dfsg2-1~lenny4.dsc
  to main/i/imagemagick/imagemagick_6.3.7.9.dfsg2-1~lenny4.dsc
imagemagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb
  to main/i/imagemagick/imagemagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb
libmagick++10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
  to main/i/imagemagick/libmagick++10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
libmagick++9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
  to main/i/imagemagick/libmagick++9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
libmagick10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
  to main/i/imagemagick/libmagick10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
libmagick9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
  to main/i/imagemagick/libmagick9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
perlmagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb
  to main/i/imagemagick/perlmagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 601...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nelson A. de Oliveira <nao...@debian.org> (supplier of updated imagemagick 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Tue, 16 Nov 2010 16:11:33 -0200
Source: imagemagick
Binary: imagemagick libmagick10 libmagick9-dev libmagick++10 libmagick++9-dev 
perlmagick
Architecture: source amd64
Version: 7:6.3.7.9.dfsg2-1~lenny4
Distribution: stable
Urgency: medium
Maintainer: Luciano Bello <luci...@debian.org>
Changed-By: Nelson A. de Oliveira <nao...@debian.org>
Description: 
 imagemagick - image manipulation programs
 libmagick++10 - C++ API to the ImageMagick library
 libmagick++9-dev - C++ API to the ImageMagick library - development files
 libmagick10 - image manipulation library
 libmagick9-dev - image manipulation library - development files
 perlmagick - Perl interface to the libMagick graphics routines
Closes: 601824
Changes: 
 imagemagick (7:6.3.7.9.dfsg2-1~lenny4) stable; urgency=medium
 .
   * Apply upstream patch to fix reading config files from current directory
     (Closes: #601824).
Checksums-Sha1: 
 03614ebfac7684c02fe7237ad2c3d138551fffca 1720 
imagemagick_6.3.7.9.dfsg2-1~lenny4.dsc
 08fd049e368c14881eae3db0f799925559546030 87779 
imagemagick_6.3.7.9.dfsg2-1~lenny4.diff.gz
 65020633509f2c7b556ecf364cfd2585c2e57dcd 1429704 
imagemagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 7228268aaafad8d1f7fd67ea432d654ca0695735 4262392 
libmagick10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 1caeea95e8f383335df4f825d06198228147f3f5 1296626 
libmagick9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 abc91490207e21715252e0d90f1aba964db441af 169002 
libmagick++10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 9a33de6752c561f3845be190099b4e867a0d6eec 217664 
libmagick++9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 146b306c6f9bd057652772918099e57566d432c4 175040 
perlmagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb
Checksums-Sha256: 
 73e7151e55689b7c19e6de14a31d26dd565ef78d0bfd0d19ce5ec47ad2a91cfc 1720 
imagemagick_6.3.7.9.dfsg2-1~lenny4.dsc
 e20c04c412cfc4c8ff1d4f03d464b9af5c729352e199688ae56165362fd0a75c 87779 
imagemagick_6.3.7.9.dfsg2-1~lenny4.diff.gz
 26207f8045d0039345d7f11ed60372e0e115d8953785ab2871a90dc9083bd7e0 1429704 
imagemagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 72457e80d2dadf2a0b6ea851903419c42674369a1c31b70ceba9a559088abc4e 4262392 
libmagick10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 720aa27fb8c666c6b21b7368a7c17b6a66d06fb35298a0ba6d4e8511e5b9332a 1296626 
libmagick9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 0bf35c6afdec38addaa2bca3f4f665e06b8a931cf0874d79d5bb03eafc350fbc 169002 
libmagick++10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 1655efca25a283cc04eeb5db983dfbc4922426eb5a15b5c0681dac1920d253a7 217664 
libmagick++9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 6b49eaf7509d6cc828869e321a3ac953983f926acf9ca7be0b0f21f9eb97e377 175040 
perlmagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb
Files: 
 eb16ac28f6e38b9b5a950ecab558f950 1720 graphics optional 
imagemagick_6.3.7.9.dfsg2-1~lenny4.dsc
 40e160a49edbd9035aabaae40a4ff109 87779 graphics optional 
imagemagick_6.3.7.9.dfsg2-1~lenny4.diff.gz
 6bfd211c8c632af614e94f2bd22a429b 1429704 graphics optional 
imagemagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 06388fed7f2a23ac309226f6b263dbc1 4262392 libs optional 
libmagick10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 35cbbf451f6136ce521300e2801590d5 1296626 libdevel optional 
libmagick9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 ac91235fd199f670446b13f62fbb0f82 169002 libs optional 
libmagick++10_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 36db0262716f2efba89980121dcba1ca 217664 libdevel optional 
libmagick++9-dev_6.3.7.9.dfsg2-1~lenny4_amd64.deb
 afa8411a0d3d8aab4c25e9758e52ee1a 175040 perl optional 
perlmagick_6.3.7.9.dfsg2-1~lenny4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAkzi3SAACgkQAQwuptkwlkR92wCfbRs7fuxZ/8HctapewCt0ZnlD
0OEAn2dtVTj3HvRXmMDz68/yelrngSLi
=VxJk
-----END PGP SIGNATURE-----

--- End Message ---

Bug#601824: marked as done (imagemagick: reads config files from cwd)

Reply via email to