Bug#601824: marked as done (imagemagick: reads config files from cwd)

Debian Bug Tracking System Tue, 16 Nov 2010 08:36:19 -0800

Your message dated Tue, 16 Nov 2010 16:32:41 +0000
with message-id <e1piosx-00016t...@franck.debian.org>
and subject line Bug#601824: fixed in imagemagick 8:6.6.0.4-3
has caused the Debian Bug report #601824,
regarding imagemagick: reads config files from cwd
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
601824: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---
Package: imagemagick
Version: 7:6.3.7.9.dfsg2-1~lenny3
Severity: grave
Tags: security
Justification: user security hole
ImageMagick reads several configuration files[0] from the current working directory. Unfortunately, this allows local attackers to execute arbitrary code if ImageMagick is run from an untrusted directory.
Steps to reproduce this bug:

1. As an attacker, put the attached files in /tmp.
2. As a victim, in /tmp run:

$ convert /path/to/foo.png /path/to/bar.png
All your base are belong to us.
convert: missing an image filename `/path/to/bar.png'.


[0] http://www.imagemagick.org/script/resources.php

--
Jakub Wilk
coder.xml
Description: XML document

delegates.xml
Description: XML document

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: imagemagick
Source-Version: 8:6.6.0.4-3

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick-dbg_6.6.0.4-3_i386.deb
  to main/i/imagemagick/imagemagick-dbg_6.6.0.4-3_i386.deb
imagemagick-doc_6.6.0.4-3_all.deb
  to main/i/imagemagick/imagemagick-doc_6.6.0.4-3_all.deb
imagemagick_6.6.0.4-3.debian.tar.bz2
  to main/i/imagemagick/imagemagick_6.6.0.4-3.debian.tar.bz2
imagemagick_6.6.0.4-3.dsc
  to main/i/imagemagick/imagemagick_6.6.0.4-3.dsc
imagemagick_6.6.0.4-3_i386.deb
  to main/i/imagemagick/imagemagick_6.6.0.4-3_i386.deb
libmagick++-dev_6.6.0.4-3_i386.deb
  to main/i/imagemagick/libmagick++-dev_6.6.0.4-3_i386.deb
libmagick++3_6.6.0.4-3_i386.deb
  to main/i/imagemagick/libmagick++3_6.6.0.4-3_i386.deb
libmagickcore-dev_6.6.0.4-3_i386.deb
  to main/i/imagemagick/libmagickcore-dev_6.6.0.4-3_i386.deb
libmagickcore3-extra_6.6.0.4-3_i386.deb
  to main/i/imagemagick/libmagickcore3-extra_6.6.0.4-3_i386.deb
libmagickcore3_6.6.0.4-3_i386.deb
  to main/i/imagemagick/libmagickcore3_6.6.0.4-3_i386.deb
libmagickwand-dev_6.6.0.4-3_i386.deb
  to main/i/imagemagick/libmagickwand-dev_6.6.0.4-3_i386.deb
libmagickwand3_6.6.0.4-3_i386.deb
  to main/i/imagemagick/libmagickwand3_6.6.0.4-3_i386.deb
perlmagick_6.6.0.4-3_i386.deb
  to main/i/imagemagick/perlmagick_6.6.0.4-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 601...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nelson A. de Oliveira <nao...@debian.org> (supplier of updated imagemagick 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Tue, 16 Nov 2010 10:53:04 -0200
Source: imagemagick
Binary: imagemagick imagemagick-dbg imagemagick-doc libmagickcore3 
libmagickcore3-extra libmagickcore-dev libmagickwand3 libmagickwand-dev 
libmagick++3 libmagick++-dev perlmagick
Architecture: source i386 all
Version: 8:6.6.0.4-3
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team 
<pkg-gmagick-im-t...@lists.alioth.debian.org>
Changed-By: Nelson A. de Oliveira <nao...@debian.org>
Description: 
 imagemagick - image manipulation programs
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libmagick++-dev - object-oriented C++ interface to ImageMagick - development 
files
 libmagick++3 - object-oriented C++ interface to ImageMagick
 libmagickcore-dev - low-level image manipulation library - development files
 libmagickcore3 - low-level image manipulation library
 libmagickcore3-extra - low-level image manipulation library - extra codecs
 libmagickwand-dev - image manipulation library - development files
 libmagickwand3 - image manipulation library
 perlmagick - Perl interface to the ImageMagick graphics routines
Closes: 601824
Changes: 
 imagemagick (8:6.6.0.4-3) unstable; urgency=medium
 .
   * Apply fix for reading config files from current directory, found by
     Jakub Wilk <jw...@debian.org> (Closes: #601824).
     Thanks to Andreas Metzler <ametz...@downhill.at.eu.org> for the nicely
     formatted patch.
Checksums-Sha1: 
 d0f6b9b4a4c35fb0e791a0647f9a7e33c6dd4c40 1883 imagemagick_6.6.0.4-3.dsc
 0e68633c11f706a848343812f3046cff76d0874c 33539 
imagemagick_6.6.0.4-3.debian.tar.bz2
 98fe685a526ce61feb13a72e60e13d6019a7e7ff 103972 imagemagick_6.6.0.4-3_i386.deb
 15a3c69a1f761bd0b2a074dbbf20993d18f67f25 3367988 
imagemagick-dbg_6.6.0.4-3_i386.deb
 0c573fc93dcabe73a2a01e8fb424f157147a629e 4345498 
imagemagick-doc_6.6.0.4-3_all.deb
 789bf771753d796ccfc2cd2aa377bf95eecfa582 1674250 
libmagickcore3_6.6.0.4-3_i386.deb
 ef4739a7383f309d21219b99b4586e008f97e183 117060 
libmagickcore3-extra_6.6.0.4-3_i386.deb
 3f7ce96f19f4621bb0de3af95f3ce32a1798363a 1096358 
libmagickcore-dev_6.6.0.4-3_i386.deb
 b1bf9a0ea3a259358efeef413f3369f95ea9ad65 357600 
libmagickwand3_6.6.0.4-3_i386.deb
 c0c30951aa336521f13f9e118e79b702af8a2fee 446186 
libmagickwand-dev_6.6.0.4-3_i386.deb
 601e6bf99f99ba65c65976d084de316d292ce99a 214976 libmagick++3_6.6.0.4-3_i386.deb
 4934f5da837d24f0aa013c021b76d203ae5e7712 249992 
libmagick++-dev_6.6.0.4-3_i386.deb
 9fe4a854d2ce98058cb14acfc51c658eb6546ec8 219308 perlmagick_6.6.0.4-3_i386.deb
Checksums-Sha256: 
 3e5f58ec255046f7ea72243dcc5f5b643a1ba372c45d9e425fa010528d6b9077 1883 
imagemagick_6.6.0.4-3.dsc
 fb8db1ea0d50748ca639d2b3bddc24a45e5d2ae20d02742b1cab13c0b33af72c 33539 
imagemagick_6.6.0.4-3.debian.tar.bz2
 2dc977af30b44d22aed33caa782cfbc166067046c95b1313fcc54c082895f2a6 103972 
imagemagick_6.6.0.4-3_i386.deb
 766d381d0f4e49c338fddf0044d1285524d56c14880850397d65d205df78bfe6 3367988 
imagemagick-dbg_6.6.0.4-3_i386.deb
 523bfdda5e414eaf8cbdd11ebf53a4ba2741c84ce0ab92ac7dbcef12f9e0eb13 4345498 
imagemagick-doc_6.6.0.4-3_all.deb
 d89a2365fa9b18aa482248cd9a1a9c999722d6b44139899a6ede89e3520a43a6 1674250 
libmagickcore3_6.6.0.4-3_i386.deb
 022061d739385b91d8026fbcaf1ed7e3a8312dac89297b134e8c1a5532a12244 117060 
libmagickcore3-extra_6.6.0.4-3_i386.deb
 05ceec02656c987bca8ca9ca9c7b5f17d05c81db8528b6d1ddb6cfe2528ab3a7 1096358 
libmagickcore-dev_6.6.0.4-3_i386.deb
 2c68af532747c4408e4f129ec44c18ea325281faa4aac60f4302356e5dfe6784 357600 
libmagickwand3_6.6.0.4-3_i386.deb
 41e1d9fcca86860a9dbf1e7f8f3595e2ebbe78210929b89aaf5ea2881a00ee0e 446186 
libmagickwand-dev_6.6.0.4-3_i386.deb
 36c112067134f3a8d9bd936ccb9a528c91f3169cbc964489ef85ba0c3ce29252 214976 
libmagick++3_6.6.0.4-3_i386.deb
 c2b7fd165235d001c707e41ed9f76807fa1c4f8833c116c24e5510245219a05a 249992 
libmagick++-dev_6.6.0.4-3_i386.deb
 b4871272376f880c4dab0099a6c0d4fbfdeff6de27794711ce13c37f18c06277 219308 
perlmagick_6.6.0.4-3_i386.deb
Files: 
 932cedf2c03e96c4ad7aa69f2a1e5ba5 1883 graphics optional 
imagemagick_6.6.0.4-3.dsc
 8dc74f76d3daee60a2069ae7218afad9 33539 graphics optional 
imagemagick_6.6.0.4-3.debian.tar.bz2
 e251783fc746f517eb99408b9a439e30 103972 graphics optional 
imagemagick_6.6.0.4-3_i386.deb
 3c5593e67c23f97d1a275e6904883b66 3367988 debug extra 
imagemagick-dbg_6.6.0.4-3_i386.deb
 e0f95f82fcc1e506963f47e53a8e6f7c 4345498 doc optional 
imagemagick-doc_6.6.0.4-3_all.deb
 c71ab890d305cc535d308a3f82742355 1674250 libs optional 
libmagickcore3_6.6.0.4-3_i386.deb
 f488e868c6f17ef642d14da0268ee01c 117060 libs optional 
libmagickcore3-extra_6.6.0.4-3_i386.deb
 83dbee6cae74999779e34c234ad8f19e 1096358 libdevel optional 
libmagickcore-dev_6.6.0.4-3_i386.deb
 e0931a6449284b66c1aa46912195159a 357600 libs optional 
libmagickwand3_6.6.0.4-3_i386.deb
 b321311bee3f303a8723c2b4065c870e 446186 libdevel optional 
libmagickwand-dev_6.6.0.4-3_i386.deb
 31521693334376c2e7c3439061dd2e8b 214976 libs optional 
libmagick++3_6.6.0.4-3_i386.deb
 6491dc13274423dd03959247577f3f05 249992 libdevel optional 
libmagick++-dev_6.6.0.4-3_i386.deb
 bc079792f37323cd309bd57b7294e2f6 219308 perl optional 
perlmagick_6.6.0.4-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAkziryIACgkQAQwuptkwlkQveACfeOpygXFGMSOT9HxrOGqPvUJV
jigAnj+TtXNWB+JucKBdV3yHnKE09uSe
=oPU1
-----END PGP SIGNATURE-----

--- End Message ---

Bug#601824: marked as done (imagemagick: reads config files from cwd)

Reply via email to