Jakub Wilk
2010-Oct-29 23:43 UTC
[Secure-testing-team] Bug#601824: imagemagick: reads config files from cwd
Package: imagemagick Version: 7:6.3.7.9.dfsg2-1~lenny3 Severity: grave Tags: security Justification: user security hole ImageMagick reads several configuration files[0] from the current working directory. Unfortunately, this allows local attackers to execute arbitrary code if ImageMagick is run from an untrusted directory. Steps to reproduce this bug: 1. As an attacker, put the attached files in /tmp. 2. As a victim, in /tmp run: $ convert /path/to/foo.png /path/to/bar.png All your base are belong to us. convert: missing an image filename `/path/to/bar.png''. [0] http://www.imagemagick.org/script/resources.php -- Jakub Wilk -------------- next part -------------- A non-text attachment was scrubbed... Name: coder.xml Type: application/xml Size: 61 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101030/7bf6f6df/attachment.xml> -------------- next part -------------- A non-text attachment was scrubbed... Name: delegates.xml Type: application/xml Size: 105 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101030/7bf6f6df/attachment-0001.xml> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101030/7bf6f6df/attachment.pgp>