Package: imagemagick Version: 6:6.2.4.5-0.6 Severity: grave Justification: user security hole Tags: security
If display is called on a file:/// URL, it deletes the images after displaying it. Steps to reprodude: cp /some/image.jpg /tmp/test.jpg display file:///tmp/test.jpg Quit display: /tmp/test.jpg is gone. Since display may be MIME handler for images, and configured to take URLs and not paths, this may be a security risk in some cases. -- (Probably useless) System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.14.1 Locale: LANG=C, LC_CTYPE=fr_FR (charmap=ISO-8859-1) Versions of packages imagemagick depends on: ii libbz2-1.0 1.0.3-2 high-quality block-sorting file co ii libc6 2.3.5-13 GNU C Library: Shared libraries an ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared lib ii libice6 6.9.0.dfsg.1-4 Inter-Client Exchange library ii libjasper-1.701-1 1.701.0-2 The JasPer JPEG-2000 runtime libra ii libjpeg62 6b-11 The Independent JPEG Group's JPEG ii liblcms1 1.13-1 Color management library ii libmagick9 6:6.2.4.5-0.6 Image manipulation library ii libpng12-0 1.2.8rel-5 PNG library - runtime ii libsm6 6.9.0.dfsg.1-4 X Window System Session Management ii libtiff4 3.7.4-1 Tag Image File Format (TIFF) libra ii libx11-6 6.9.0.dfsg.1-4 X Window System protocol client li ii libxext6 6.9.0.dfsg.1-4 X Window System miscellaneous exte ii libxml2 2.6.23.dfsg.1-0.1 GNOME XML library ii zlib1g 1:1.2.3-9 compression library - runtime
signature.asc
Description: Digital signature
