[Pkg-gmagick-im-team] Bug#601824: imagemagick: reads config files from cwd

Jakub Wilk jwilk at debian.org
Fri Oct 29 23:43:58 UTC 2010


Package: imagemagick
Version: 7:6.3.7.9.dfsg2-1~lenny3
Severity: grave
Tags: security
Justification: user security hole

ImageMagick reads several configuration files[0] from the current 
working directory. Unfortunately, this allows local attackers to execute 
arbitrary code if ImageMagick is run from an untrusted directory.

Steps to reproduce this bug:

1. As an attacker, put the attached files in /tmp.
2. As a victim, in /tmp run:

$ convert /path/to/foo.png /path/to/bar.png
All your base are belong to us.
convert: missing an image filename `/path/to/bar.png'.


[0] http://www.imagemagick.org/script/resources.php

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: coder.xml
Type: application/xml
Size: 61 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20101030/7bf6f6df/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: delegates.xml
Type: application/xml
Size: 105 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20101030/7bf6f6df/attachment-0001.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20101030/7bf6f6df/attachment.pgp>


More information about the Pkg-gmagick-im-team mailing list