Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 83542 - media-gfx/imagemagick: filename handling format string bug.
Summary: media-gfx/imagemagick: filename handling format string bug.
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B2 [glsa] jaervosz
Keywords:
: 117843 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-02-28 04:55 UTC by Tavis Ormandy (RETIRED)
Modified: 2006-11-11 18:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
filename handling format string patch (imagick-6.1.8-filename-format-string.diff,562 bytes, patch)
2005-03-01 02:20 UTC, Tavis Ormandy (RETIRED) 		no flags Details | Diff
imagemagick_formatstring_new.diff (imagemagick_formatstring_new.diff,834 bytes, patch)
2006-01-04 06:33 UTC, Thierry Carrez (RETIRED) 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-02-28 04:55:49 UTC 
there's a problem handling filenames in imagemagick, this could potentially cause problems in webapps that use the utilities (mediawiki, gallery, etc).

I reported the problem (in SetImageInfo()) upstream who say a fix will be present in 6.2.0-3.

eg, 
convert /dev/null %n
convert /dev/null "%.03%hn%hn:%x%x%"
etc.


Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-01 02:20:39 UTC 
Created attachment 52363 [details, diff]
filename handling format string patch

oneliner patch for image magick filename handling issue.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 08:56:08 UTC 
Graphics team, please bump to 6.2.0-3 or apply provided patch to current.
Comment 3 solar (RETIRED) gentoo-dev 2005-03-02 09:26:21 UTC 
This will be CAN-2005-0397
Comment 4 Karol Wojtaszek (RETIRED) gentoo-dev 2005-03-02 15:09:51 UTC 
Imagemagick and perlmagick bumped to 6.0.2.4.
***Please, update keywords of dev-perl/perlmagick to match imagemagick***
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-02 22:30:20 UTC 
sekretarz I presume you mean 6.2.0.4:-)

Arches please test and mark imagemagick and perlmagick stable.
Comment 6 Karol Wojtaszek (RETIRED) gentoo-dev 2005-03-02 22:38:49 UTC 
yeah, sorry, bumped to 6.2.0.4, of course ;)
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-03-03 06:49:10 UTC 
sparc stable.
Comment 8 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-03 06:52:13 UTC 
stable on amd64
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2005-03-03 09:01:00 UTC 
stable on ppc64
Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-03 13:45:30 UTC 
Stable on ppc.
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2005-03-05 22:44:30 UTC 
x86 stable
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-06 01:30:51 UTC 
Alpha stable.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-03-06 05:08:29 UTC 
GLSA 200503-11
hppa, ia64, mips: please mark stable to benefit from GLSA
Comment 14 Hardave Riar (RETIRED) gentoo-dev 2005-03-13 14:49:23 UTC 
Stable on mips.
Comment 15 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 06:00:29 UTC 
Already stable on hppa
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2006-01-04 06:33:00 UTC 
Debian says the patch is not sufficient.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876

Tavis, your opinion ?
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2006-01-04 06:33:34 UTC 
Created attachment 76159 [details, diff]
imagemagick_formatstring_new.diff

New proposed patch, from Debian
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2006-01-04 08:08:40 UTC 
graphics, please repatch ?
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2006-01-05 00:44:57 UTC 
*** Bug 117843 has been marked as a duplicate of this bug. ***
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2006-01-05 01:14:45 UTC 
New one is CVE-2006-0082
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2006-01-12 08:24:20 UTC 
Anyone in graphics herd ?
Comment 22 Karol Wojtaszek (RETIRED) gentoo-dev 2006-01-18 12:28:22 UTC 
I checked imagemagick-6.2.5.5 code and i think that they fixed this flow. They didn't apply patch from debian but current code doesn't expand % chars. I advise to push imagemagick-6.2.5.5 stable.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-30 13:40:38 UTC 
Calling arches _very_ late.
Comment 24 Markus Rothe (RETIRED) gentoo-dev 2006-01-30 14:18:27 UTC 
stable on ppc64
Comment 25 Patrick McLean gentoo-dev 2006-01-30 20:22:16 UTC 
stable on amd64
Comment 26 Joshua Jackson (RETIRED) gentoo-dev 2006-01-30 21:12:26 UTC 
x86 stable
Comment 27 René Nussbaumer (RETIRED) gentoo-dev 2006-01-31 01:37:39 UTC 
Stable on hppa
Comment 28 Tobias Scherbaum (RETIRED) gentoo-dev 2006-01-31 07:04:25 UTC 
ppc stable
Comment 29 Gustavo Zacarias (RETIRED) gentoo-dev 2006-01-31 09:05:16 UTC 
sparc stable.
Comment 30 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-01-31 18:35:06 UTC 
stable on alpha
Comment 31 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-01 06:53:36 UTC 
ready for glsa
Comment 32 Thierry Carrez (RETIRED) gentoo-dev 2006-02-13 12:40:59 UTC 
GLSA 200602-06
arm  and mips should mark stable to benefit from GLSA
Comment 33 Joshua Kinard gentoo-dev 2006-09-03 22:21:21 UTC 
6.2.8.0 stable on mips (took us long enough I guess....)