tags 601824 fixed-upstream patch
thanks
On 2010-10-30 "Nelson A. de Oliveira" <[email protected]> wrote:
> On Fri, Oct 29, 2010 at 11:43 PM, Jakub Wilk <[email protected]> wrote:
> > ImageMagick reads several configuration files[0] from the current working
> > directory. Unfortunately, this allows local attackers to execute arbitrary
> > code if ImageMagick is run from an untrusted directory.
> I have confirmed it here and forwarded upstream.
[...]
Hello Nelson,
This is already fixed upstream. Quoting 6.6.5-6 ChangeLog:
2010-10-30 6.6.5-5 Cristy <quetzlzacatena...@image...>
* Do not read configure files in the current directory for the "installed"
version of ImageMagick.
The fix (copy attached) is pretty short, I can make a NMU if you want
me to.
cu andreas
Description: Do not read configure files in the current directory for
the "installed" version of ImageMagick.
Patch pulled from upstream svn
https://www.imagemagick.org/subversion/ImageMagick/trunk
revision 3022.
Author: Cristy <quetzlzacatena...@image...>
Bug-Debian: http://bugs.debian.org/601824
Origin: upstream
Last-Update: <2010-11-06>
--- imagemagick-6.6.0.4.orig/magick/configure.c
+++ imagemagick-6.6.0.4/magick/configure.c
@@ -749,6 +749,10 @@ MagickExport LinkedListInfo *GetConfigur
(void) AppendValueToLinkedList(paths,ConstantString(path));
#endif
}
+ /*
+ Search current directory.
+ */
+ (void) AppendValueToLinkedList(paths,ConstantString(""));
#endif
{
char
@@ -803,10 +807,6 @@ MagickExport LinkedListInfo *GetConfigur
}
}
#endif
- /*
- Search current directory.
- */
- (void) AppendValueToLinkedList(paths,ConstantString(""));
return(paths);
}
�
