Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 83542 - media-gfx/imagemagick: filename handling format string bug.
Summary: media-gfx/imagemagick: filename handling format string bug.
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] jaervosz
: 117843 (view as bug list)
Depends on:
Reported: 2005-02-28 04:55 UTC by Tavis Ormandy (RETIRED)
Modified: 2006-11-11 18:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

filename handling format string patch (imagick-6.1.8-filename-format-string.diff,562 bytes, patch)
2005-03-01 02:20 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
imagemagick_formatstring_new.diff (imagemagick_formatstring_new.diff,834 bytes, patch)
2006-01-04 06:33 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-02-28 04:55:49 UTC
there's a problem handling filenames in imagemagick, this could potentially cause problems in webapps that use the utilities (mediawiki, gallery, etc).

I reported the problem (in SetImageInfo()) upstream who say a fix will be present in 6.2.0-3.

convert /dev/null %n
convert /dev/null "%.03%hn%hn:%x%x%"

Reproducible: Always
Steps to Reproduce:
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-01 02:20:39 UTC
Created attachment 52363 [details, diff]
filename handling format string patch

oneliner patch for image magick filename handling issue.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 08:56:08 UTC
Graphics team, please bump to 6.2.0-3 or apply provided patch to current.
Comment 3 solar (RETIRED) gentoo-dev 2005-03-02 09:26:21 UTC
This will be CAN-2005-0397
Comment 4 Karol Wojtaszek (RETIRED) gentoo-dev 2005-03-02 15:09:51 UTC
Imagemagick and perlmagick bumped to
***Please, update keywords of dev-perl/perlmagick to match imagemagick***
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-02 22:30:20 UTC
sekretarz I presume you mean

Arches please test and mark imagemagick and perlmagick stable.
Comment 6 Karol Wojtaszek (RETIRED) gentoo-dev 2005-03-02 22:38:49 UTC
yeah, sorry, bumped to, of course ;)
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-03-03 06:49:10 UTC
sparc stable.
Comment 8 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-03 06:52:13 UTC
stable on amd64
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2005-03-03 09:01:00 UTC
stable on ppc64
Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-03 13:45:30 UTC
Stable on ppc.
Comment 11 Olivier Crete (RETIRED) gentoo-dev 2005-03-05 22:44:30 UTC
x86 stable
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-06 01:30:51 UTC
Alpha stable.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-03-06 05:08:29 UTC
GLSA 200503-11
hppa, ia64, mips: please mark stable to benefit from GLSA
Comment 14 Hardave Riar (RETIRED) gentoo-dev 2005-03-13 14:49:23 UTC
Stable on mips.
Comment 15 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 06:00:29 UTC
Already stable on hppa
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2006-01-04 06:33:00 UTC
Debian says the patch is not sufficient.

Tavis, your opinion ?
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2006-01-04 06:33:34 UTC
Created attachment 76159 [details, diff]

New proposed patch, from Debian
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2006-01-04 08:08:40 UTC
graphics, please repatch ?
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2006-01-05 00:44:57 UTC
*** Bug 117843 has been marked as a duplicate of this bug. ***
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2006-01-05 01:14:45 UTC
New one is CVE-2006-0082
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2006-01-12 08:24:20 UTC
Anyone in graphics herd ?
Comment 22 Karol Wojtaszek (RETIRED) gentoo-dev 2006-01-18 12:28:22 UTC
I checked imagemagick- code and i think that they fixed this flow. They didn't apply patch from debian but current code doesn't expand % chars. I advise to push imagemagick- stable.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-30 13:40:38 UTC
Calling arches _very_ late.
Comment 24 Markus Rothe (RETIRED) gentoo-dev 2006-01-30 14:18:27 UTC
stable on ppc64
Comment 25 Patrick McLean gentoo-dev 2006-01-30 20:22:16 UTC
stable on amd64
Comment 26 Joshua Jackson (RETIRED) gentoo-dev 2006-01-30 21:12:26 UTC
x86 stable
Comment 27 René Nussbaumer (RETIRED) gentoo-dev 2006-01-31 01:37:39 UTC
Stable on hppa
Comment 28 Tobias Scherbaum (RETIRED) gentoo-dev 2006-01-31 07:04:25 UTC
ppc stable
Comment 29 Gustavo Zacarias (RETIRED) gentoo-dev 2006-01-31 09:05:16 UTC
sparc stable.
Comment 30 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-01-31 18:35:06 UTC
stable on alpha
Comment 31 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-01 06:53:36 UTC
ready for glsa
Comment 32 Thierry Carrez (RETIRED) gentoo-dev 2006-02-13 12:40:59 UTC
GLSA 200602-06
arm  and mips should mark stable to benefit from GLSA
Comment 33 Joshua Kinard gentoo-dev 2006-09-03 22:21:21 UTC stable on mips (took us long enough I guess....)