Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 345569 (CVE-2010-4167) - <media-gfx/imagemagick-6.6.5.6: Local Arbitrary Code Execution Vulnerability (CVE-2010-4167)
Summary: <media-gfx/imagemagick-6.6.5.6: Local Arbitrary Code Execution Vulnerability ...
Status: RESOLVED FIXED
Alias: CVE-2010-4167
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://trac.imagemagick.org/changeset...
Whiteboard: B4 [noglsa]
Keywords:
: 345897 386381 (view as bug list)
Depends on: 345897
Blocks:
  Show dependency tree
 
Reported: 2010-11-15 05:11 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-08 16:18 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-15 05:11:29 UTC
From the Debian bug at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824:

<-- 

ImageMagick reads several configuration files[0] from the current 
working directory. Unfortunately, this allows local attackers to execute 
arbitrary code if ImageMagick is run from an untrusted directory.

Steps to reproduce this bug:

1. As an attacker, put the attached files in /tmp.
2. As a victim, in /tmp run:

$ convert /path/to/foo.png /path/to/bar.png
All your base are belong to us.
convert: missing an image filename `/path/to/bar.png'.

<--

Looks to be fixed in 6.6.5-5 upstream.

http://trac.imagemagick.org/browser/ImageMagick/trunk/ChangeLog
Comment 1 Markus Meier gentoo-dev 2010-11-17 10:17:22 UTC
bumped in cvs.

*imagemagick-6.6.5.6 (17 Nov 2010)

  17 Nov 2010; Markus Meier <maekke@gentoo.org> +imagemagick-6.6.5.6.ebuild:
  version bump, security bug #345569
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-11-17 14:32:07 UTC
Thank you.

Arches, please test and mark stable:
=media-gfx/imagemagick-6.6.5.6
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2010-11-17 15:42:15 UTC
Requires: 

>=media-libs/libfpx-1.3.0-r1 and it is not stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-17 17:17:49 UTC
*** Bug 345897 has been marked as a duplicate of this bug. ***
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-17 17:22:19 UTC
Stable for PPC.
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-11-17 20:29:47 UTC
amd64 done
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2010-11-18 11:24:28 UTC
x86 done.  The tests are weird.  Why do they only run on the second merge?

src_test() {
    if has_version ~${CATEGORY}/${P}; then
        emake -j1 check || die
    else
        ewarn "Skipping tests because installed version doesn't match."
    fi
}
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-19 15:47:39 UTC
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2010-11-21 12:48:48 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2010-11-28 14:26:52 UTC
ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-28 15:24:38 UTC
Thanks, folks.

GLSA Vote: no.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2011-01-03 20:57:05 UTC
GLSA Vote: no -> Closing. Feel free to reopen if you disagree.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 16:18:50 UTC
*** Bug 386381 has been marked as a duplicate of this bug. ***