Package: imagemagick; Maintainer for imagemagick is ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>; Source for imagemagick is src:imagemagick (PTS, buildd, popcon).
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 29 Dec 2005 21:18:04 UTC
Severity: grave
Tags: fixed, patch, security
Found in versions imagemagick/6.2.4.5-0.3, imagemagick/4:5.4.4.5-1woody7, imagemagick/6:6.0.6.2-2.5
Fixed in versions 6:6.2.4.5-0.6, 4:5.4.4.5-1woody8, 6:6.0.6.2-2.6, imagemagick/7:6.2.4.5.dfsg1-1
Done: Daniel Kobras <kobras@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
New Bug report received and forwarded. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: imagemagick Version: 6.2.4.5-0.3 Tags: security The delegate code in Imagemagick is vulnerable to shell command injection, using specially crafted file names: $ cp /usr/lib/openoffice/share/template/en-US/wizard/bitmap/germany.wmf \ '" ; echo "Hi!" >&2; : "'.gif $ display '" ; echo "Hi!" >&2; : "'.gif It should work with other file formats besides WMF (those for which delegates are defined). I'm leaving the severity at normal, because it doesn't seem to be *that* important. Perhaps this is exploitable through MIME-enabled MUAs, which would warrant a higher severity.
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #10 received at 345238@bugs.debian.org (full text, mbox, reply):
severity 345238 grave thanks With some user interaction, this is exploitable through Gnus and Thunderbird. I think this warrants increasing the severity to "grave".
Severity set to `grave'.
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #17 received at 345238@bugs.debian.org (full text, mbox, reply):
retitle 345238 [CVE-2005-4601] Shell command injection in delegate code (via file names) thanks This issue has been assigned CVE-2005-4601. Please mention this identifier in the changelog when fixing this bug.
Changed Bug title.
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Daniel Kobras <kobras@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #24 received at 345238@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 345238 + patch thanks On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote: > With some user interaction, this is exploitable through Gnus and > Thunderbird. I think this warrants increasing the severity to > "grave". Here's the vanilla fix from upstream SVN, stripped off whitespace changes. I wonder why they've banned ` but still allow $(...), though. Regards, Daniel.
[CVE-2005-4601.diff (text/plain, inline)]
--- delegate.c.orig 2006-01-05 13:37:47.000000000 +0100 +++ delegate.c 2006-01-05 13:45:00.000000000 +0100 @@ -701,6 +701,8 @@ MagickExport MagickBooleanType InvokeDelegate(ImageInfo *image_info, Image *image,const char *decode,const char *encode,ExceptionInfo *exception) { +#define ProhibitedAlphabet "*?\"'<>|`" + char *command, **commands; @@ -753,11 +755,11 @@ } image_info->temporary=MagickTrue; } - if (delegate_info->mode != 0) - if (((decode != (const char *) NULL) && + if ((delegate_info->mode != 0) && + (((decode != (const char *) NULL) && (delegate_info->encode != (char *) NULL)) || ((encode != (const char *) NULL) && - (delegate_info->decode != (char *) NULL))) + (delegate_info->decode != (char *) NULL)))) { char *magick; @@ -771,6 +773,13 @@ /* Delegate requires a particular image format. */ + if ((strpbrk(image_info->filename,ProhibitedAlphabet) != (char *) NULL) || + (strpbrk(image->filename,ProhibitedAlphabet) != (char *) NULL)) + { + ThrowFileException(exception,FileOpenError, + "FilenameContainsProhibitedCharacters",image->filename); + return(MagickFalse); + } if (AcquireUniqueFilename(image_info->unique) == MagickFalse) { ThrowFileException(exception,FileOpenError, @@ -850,18 +859,25 @@ for (i=0; commands[i] != (char *) NULL; i++) { status=MagickFalse; + if ((strpbrk(image_info->filename,ProhibitedAlphabet) != (char *) NULL) || + (strpbrk(image->filename,ProhibitedAlphabet) != (char *) NULL)) + { + ThrowFileException(exception,FileOpenError, + "FilenameContainsProhibitedCharacters",image->filename); + break; + } if (AcquireUniqueFilename(image_info->unique) == MagickFalse) { ThrowFileException(exception,FileOpenError, "UnableToCreateTemporaryFile",image_info->unique); - return(MagickFalse); + break; } if (AcquireUniqueFilename(image_info->zero) == MagickFalse) { (void) RelinquishUniqueFileResource(image_info->unique); ThrowFileException(exception,FileOpenError, "UnableToCreateTemporaryFile",image_info->zero); - return(MagickFalse); + break; } command=TranslateText(image_info,image,commands[i]); if (command == (char *) NULL)
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #29 received at 345238@bugs.debian.org (full text, mbox, reply):
* Daniel Kobras: > tag 345238 + patch > thanks > > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote: >> With some user interaction, this is exploitable through Gnus and >> Thunderbird. I think this warrants increasing the severity to >> "grave". > > Here's the vanilla fix from upstream SVN, stripped off whitespace changes. > I wonder why they've banned ` but still allow $(...), though. > +#define ProhibitedAlphabet "*?\"'<>|`" This choice of characters is indeed strange. Perhaps some of them are Windows-related. > + if ((strpbrk(image_info->filename,ProhibitedAlphabet) != (char *) NULL) || > + (strpbrk(image->filename,ProhibitedAlphabet) != (char *) NULL)) > + { > + ThrowFileException(exception,FileOpenError, > + "FilenameContainsProhibitedCharacters",image->filename); > + return(MagickFalse); > + } Wrong direction of test. You should only pass on known-good characters, not reject bad characters. A better fix would be to bypass the shell and invoke the delegate directly (using fork and execve). If this is not feasible, the file name should be translated according to this pseudo-code: def translate(name): result = '\'' for char in name: if name == '\'': result += "'\\''" else: result += char result += '\'' return result Using ' instead of " as the string terminator ensures that variable expansion is disabled in the string. If a single quote is contained in the input string, it is replaced with '\'' (including the quotes), which terminates the string processing, inserts a quoted "'" character, and continues with string processing. This way, all characters (except ASCII NUL, naturally) can be safely passed through the shell to the delegate. The delegate, however, must have been written to deal with arbitrary file names. Unfortunately, is unlikely work on native Windows because command line parsing is application-specific. Please pass this message to upstream nevertheless (I couldn't find a security contact on their web pages).
Tags added: patch
Request was from Daniel Kobras <kobras@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Daniel Kobras <kobras@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #36 received at 345238@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, Jan 05, 2006 at 02:04:39PM +0100, Florian Weimer wrote: > A better fix would be to bypass the shell and invoke the delegate > directly (using fork and execve). If this is not feasible, the file > name should be translated according to this pseudo-code: I went for an even more simple fix: pass a temporary, securely named symlink to external delegates, instead of the user-supplied filename. We get rid of the problem this way without any restrictions on allowed characters in filenames. There's still the problem of information disclosure because the symlink in /tmp displays the full path to the image file, but I think that's less severe than the original problem. Furthermore, users can easily circumvent it setting MAGICK_TMPDIR to a 700 directory. Unfortunately, even though the hack should be good enough for Debian, it is not suitable for upstream because of portability issues. > Please pass this message to upstream nevertheless (I couldn't find a > security contact on their web pages). Assuming you were referring to me, I'm currently too short on time to act as an intermediary for problems in packages I'm not even the maintainer of. Therefore, I'd be grateful if someone else stepped in and worked with upstream to settle on a long-term solution. I'm not aware of a specific security contact, but a message to one of their web forums usually gets fast attention. Regards, Daniel.
[imagemagick_0.5_0.6.diff (text/plain, inline)]
diff -u imagemagick-6.2.4.5/magick/blob.c imagemagick-6.2.4.5/magick/blob.c --- imagemagick-6.2.4.5/magick/blob.c +++ imagemagick-6.2.4.5/magick/blob.c @@ -2120,25 +2120,8 @@ /* Form filename for multi-part images. */ - (void) CopyMagickString(filename,image->filename,MaxTextExtent); - for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%')) - { - char - *q; - - q=p+1; - if (*q == '0') - (void) strtol(q,&q,10); - if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x')) - { - char - format[MaxTextExtent]; - - (void) CopyMagickString(format,p,MaxTextExtent); - (void) FormatMagickString(p,MaxTextExtent,format,image->scene); - break; - } - } + (void) FormatMagickStringNumeric(filename,MaxTextExtent,image->filename, + image->scene); if (image_info->adjoin == MagickFalse) if ((image->previous != (Image *) NULL) || (GetNextImageInList(image) != (Image *) NULL)) diff -u imagemagick-6.2.4.5/debian/rules imagemagick-6.2.4.5/debian/rules --- imagemagick-6.2.4.5/debian/rules +++ imagemagick-6.2.4.5/debian/rules @@ -24,7 +24,7 @@ --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ - --with-gs-font-dir=/usr/share/fonts/type1/gsfonts\ + --with-gs-font-dir=/usr/share/fonts/type1/gsfonts \ --with-magick-plus-plus \ --enable-shared \ --enable-lzw \ diff -u imagemagick-6.2.4.5/debian/changelog imagemagick-6.2.4.5/debian/changelog --- imagemagick-6.2.4.5/debian/changelog +++ imagemagick-6.2.4.5/debian/changelog @@ -1,3 +1,29 @@ +imagemagick (6:6.2.4.5-0.6) unstable; urgency=high + + * Non-maintainer upload. + * magick/display.c: In DisplayImageCommand(), expand command line before + allocating ressources based on argc. Patch and analysis thanks to + Eero Häkkinen. Closes: #345595 + * magick/{animate.c,blob.c,display.c,image.c,log.c,montage.c,string.c, + string_.h}: Implement new utility function FormatMagickStringNumeric() + to securely expand a user-supplied format string with a single numeric + argument. Adjust code to use this function where appropriate. + (CVE-2006-0082) Closes: #345876 + * coders/pdf.c,coders/ps.c,magick/delegate.c,magick/delegate.h, + magick/methods.h: Do not call external delegates with user-supplied + filename, but with securely named symlinks only to prevent shell command + injection (CVE-2005-4601). Closes: #345238 + * debian/rules: Make sure to include trailing spaces in multi-line + commands to keep recent make happy. Cures problems with ghostscript + font path. Fix thanks to Jeff Lessem. Closes: #347486 + * debian/imagemagick.mime: Rather than autodetect the type of an image, + derive it from the mime type. As a side effect, this change allows to + use arbitrary filenames with the 'see' command, even if they have + special meaning to imagemagick internally. Also clean up some typos + and superfluous entries once we're at it. Closes: #344997 + + -- Daniel Kobras <kobras@debian.org> Tue, 17 Jan 2006 18:33:58 +0100 + imagemagick (6:6.2.4.5-0.5) unstable; urgency=low * Another NMU to complete the installability fixes from 6:6.2.4.5-0.4. diff -u imagemagick-6.2.4.5/debian/imagemagick.mime imagemagick-6.2.4.5/debian/imagemagick.mime --- imagemagick-6.2.4.5/debian/imagemagick.mime +++ imagemagick-6.2.4.5/debian/imagemagick.mime @@ -1,45 +1,42 @@ -image/avs; display '%s'; test=test -n "$DISPLAY" -image/bie; display '%s'; test=test -n "$DISPLAY" -image/x-ms-bmp; display '%s'; test=test -n "$DISPLAY" -image/cmyk; display '%s'; test=test -n "$DISPLAY" -image/dcx; display '%s'; test=test -n "$DISPLAY" -image/eps; display '%s'; test=test -n "$DISPLAY" -image/fax; display '%s'; test=test -n "$DISPLAY" -image/fits; display '%s'; test=test -n "$DISPLAY" -image/gif; display '%s'; test=test -n "$DISPLAY" -image/gray; display '%s'; test=test -n "$DISPLAY" -image/gradation; display '%s'; test=test -n "$DISPLAY" -image/hdf; display '%s'; test=test -n "$DISPLAY" -image/jpeg; display '%s'; test=test -n "$DISPLAY" -image/pjpeg; display '%s'; test=test -n "$DISPLAY" -image/map; display '%s'; test=test -n "$DISPLAY" -image/miff; display '%s'; test=test -n "$DISPLAY" -image/mono; display '%s'; test=test -n "$DISPLAY" -image/mtv; display '%s'; test=test -n "$DISPLAY" -image/x-portable-bitmap; display '%s'; test=test -n "$DISPLAY" -image/pcd; display '%s'; test=test -n "$DISPLAY" -image/pcx; display '%s'; test=test -n "$DISPLAY" -image/pdf; display '%s'; test=test -n "$DISPLAY" -image/x-portable-graymap; display '%s'; test=test -n "$DISPLAY" -image/pict; display '%s'; test=test -n "$DISPLAY" -image/png; display '%s'; test=test -n "$DISPLAY" -image/x-portable-anymap; display '%s'; test=test -n "$DISPLAY" -image/x-portable-pixmap; display '%s'; test=test -n "$DISPLAY" -image/ps; display '%s'; test=test -n "$DISPLAY" -image/rad; display '%s'; test=test -n "$DISPLAY" -image/x-rgb; display '%s'; test=test -n "$DISPLAY" -image/rgba; display '%s'; test=test -n "$DISPLAY" -image/rla; display '%s'; test=test -n "$DISPLAY" -image/rle; display '%s'; test=test -n "$DISPLAY" -image/sgi; display '%s'; test=test -n "$DISPLAY" -image/sun-raster; display '%s'; test=test -n "$DISPLAY" -image/targa; display '%s'; test=test -n "$DISPLAY" -image/tiff; display '%s'; test=test -n "$DISPLAY" -image/uyvu; display '%s'; test=test -n "$DISPLAY" -image/vid; display '%s'; test=test -n "$DISPLAY" -image/viff; display '%s'; test=test -n "$DISPLAY" -image/x-xbitmap; display '%s'; test=test -n "$DISPLAY" -image/x-xpixmap; display '%s'; test=test -n "$DISPLAY" -image/x-xwindowdump; display '%s'; test=test -n "$DISPLAY" -image/x-icon; display '%s'; test=test -n "$DISPLAY" -image/yuv; display '%s'; test=test -n "$DISPLAY" +image/avs; display 'avs:%s'; test=test -n "$DISPLAY" +image/bie; display 'jbig:%s'; test=test -n "$DISPLAY" +image/x-ms-bmp; display 'bmp:%s'; test=test -n "$DISPLAY" +image/cmyk; display 'cmyk:%s'; test=test -n "$DISPLAY" +image/dcx; display 'dcx:%s'; test=test -n "$DISPLAY" +image/eps; display 'eps:%s'; test=test -n "$DISPLAY" +image/fax; display 'fax:%s'; test=test -n "$DISPLAY" +image/fits; display 'fits:%s'; test=test -n "$DISPLAY" +image/gif; display 'gif:%s'; test=test -n "$DISPLAY" +image/gray; display 'gray:%s'; test=test -n "$DISPLAY" +image/jpeg; display 'jpeg:%s'; test=test -n "$DISPLAY" +image/pjpeg; display 'jpeg:%s'; test=test -n "$DISPLAY" +image/miff; display 'miff:%s'; test=test -n "$DISPLAY" +image/mono; display 'mono:%s'; test=test -n "$DISPLAY" +image/mtv; display 'mtv:%s'; test=test -n "$DISPLAY" +image/x-portable-bitmap; display 'pbm:%s'; test=test -n "$DISPLAY" +image/pcd; display 'pcd:%s'; test=test -n "$DISPLAY" +image/pcx; display 'pcx:%s'; test=test -n "$DISPLAY" +image/pdf; display 'pdf:%s'; test=test -n "$DISPLAY" +image/x-portable-graymap; display 'pgm:%s'; test=test -n "$DISPLAY" +image/pict; display 'pict:%s'; test=test -n "$DISPLAY" +image/png; display 'png:%s'; test=test -n "$DISPLAY" +image/x-portable-anymap; display 'pnm:%s'; test=test -n "$DISPLAY" +image/x-portable-pixmap; display 'ppm:%s'; test=test -n "$DISPLAY" +image/ps; display 'ps:%s'; test=test -n "$DISPLAY" +image/rad; display 'rad:%s'; test=test -n "$DISPLAY" +image/x-rgb; display 'rgb:%s'; test=test -n "$DISPLAY" +image/rgba; display 'rgba:%s'; test=test -n "$DISPLAY" +image/rla; display 'rla:%s'; test=test -n "$DISPLAY" +image/rle; display 'rle:%s'; test=test -n "$DISPLAY" +image/sgi; display 'sgi:%s'; test=test -n "$DISPLAY" +image/sun-raster; display 'sun:%s'; test=test -n "$DISPLAY" +image/targa; display 'tga:%s'; test=test -n "$DISPLAY" +image/tiff; display 'tiff:%s'; test=test -n "$DISPLAY" +image/uyvy; display 'uyvy:%s'; test=test -n "$DISPLAY" +image/vid; display 'vid:%s'; test=test -n "$DISPLAY" +image/viff; display 'viff:%s'; test=test -n "$DISPLAY" +image/x-xbitmap; display 'xbm:%s'; test=test -n "$DISPLAY" +image/x-xpixmap; display 'xpm:%s'; test=test -n "$DISPLAY" +image/x-xwindowdump; display 'xwd:%s'; test=test -n "$DISPLAY" +image/x-icon; display 'icon:%s'; test=test -n "$DISPLAY" +image/yuv; display 'yuv:%s'; test=test -n "$DISPLAY" only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/coders/pdf.c +++ imagemagick-6.2.4.5/coders/pdf.c @@ -356,6 +356,16 @@ " -sPDFPassword=%s",read_info->authenticate); (void) CopyMagickString(filename,read_info->filename,MaxTextExtent); (void) AcquireUniqueFilename(read_info->filename); + if (AcquireTemporarySymlink((char *) image_info->filename,filename) + == MagickFalse) + { + (void) RelinquishUniqueFileResource(postscript_filename); + (void) RelinquishUniqueFileResource(read_info->filename); + (void) DestroyImageInfo(read_info); + ThrowFileException(exception,FileOpenError,"UnableToCreateTemporaryFile", + image_info->filename); + return((Image *) NULL); + } (void) FormatMagickString(command,MaxTextExtent, GetDelegateCommands(delegate_info), read_info->antialias != MagickFalse ? 4 : 1, @@ -363,6 +373,8 @@ read_info->filename,postscript_filename,image_info->filename); status=InvokePostscriptDelegate(read_info->verbose,command); image=ReadImage(read_info,exception); + unlink(image_info->filename); + (void) CopyMagickString((char *) image_info->filename,filename,MaxTextExtent); (void) RelinquishUniqueFileResource(postscript_filename); (void) RelinquishUniqueFileResource(read_info->filename); read_info=DestroyImageInfo(read_info); only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/coders/ps.c +++ imagemagick-6.2.4.5/coders/ps.c @@ -479,6 +479,16 @@ } (void) CopyMagickString(filename,read_info->filename,MaxTextExtent); (void) AcquireUniqueFilename(read_info->filename); + if (AcquireTemporarySymlink((char *) image_info->filename,filename) + == MagickFalse) + { + (void) RelinquishUniqueFileResource(postscript_filename); + (void) RelinquishUniqueFileResource(read_info->filename); + (void) DestroyImageInfo(read_info); + ThrowFileException(&image->exception,FileOpenError, + "UnableToCreateTemporaryFile",image_info->filename); + return((Image *) NULL); + } (void) FormatMagickString(command,MaxTextExtent, GetDelegateCommands(delegate_info), read_info->antialias != MagickFalse ? 4 : 1, @@ -495,6 +505,8 @@ } (void) RelinquishUniqueFileResource(postscript_filename); (void) RelinquishUniqueFileResource(read_info->filename); + unlink(image_info->filename); + (void) CopyMagickString((char *) image_info->filename,filename,MaxTextExtent); if (image == (Image *) NULL) { /* only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/animate.c +++ imagemagick-6.2.4.5/magick/animate.c @@ -604,7 +604,7 @@ /* Form filename for multi-part images. */ - (void) FormatMagickString(filename,MaxTextExtent, + (void) FormatMagickStringNumeric(filename,MaxTextExtent, image_info->filename,scene); if (LocaleCompare(filename,image_info->filename) == 0) (void) FormatMagickString(filename,MaxTextExtent,"%s[%lu]", only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/delegate.c +++ imagemagick-6.2.4.5/magick/delegate.c @@ -673,6 +673,72 @@ % % % % % % ++ A c q u i r e T e m p o r a r y S y m l i n k % +% % +% % +% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +% AcquireTemporarySymlink replaces the contents of the string buffer pointed +% to by filename with the unique name of a symbolic link. True is returned +% if a symlink waas created, or False is returned if there is a failure. +% The allocated symlink should be recovered via the LiberateTemporaryFile() +% function once it is no longer required. +% +% The format of the AcquireTemporarySymlink method is: +% +% unsigned int AcquireTemporarySymlink(char *linkname, const char *name) +% +% A description of each parameter follows. +% +% o linkname: Specifies a pointer to an array of characters that must be +% MaxTextExtent characters of size. The unique +% name of the symlink is returned in this array. +% o name: Specifies a file name the symlink should point to. +*/ +MagickExport unsigned int AcquireTemporarySymlink(char *linkname, const char *name) +{ + char + *tempname; + + int + fd, + tries; + + assert(linkname != (char *)NULL); + linkname[0]='\0'; + linkname[MaxTextExtent-1]='\0'; + + for (tries=0; tries < 15; tries++) + { + tempname=tempnam(getenv("MAGICK_TMPDIR"),"magick-"); + strncpy(linkname,tempname,MaxTextExtent-1); + free(tempname); + if (*name == '/') + fd=symlink(name, linkname); + else + { + char cname[MaxTextExtent]; + if (!getcwd(cname,(size_t)MaxTextExtent)) + return (MagickFalse); + strncat(cname,"/",MaxTextExtent-1); + strncat(cname,name,MaxTextExtent-1); + fd=symlink(cname,linkname); + } + if (fd != -1) + { + close(fd); + return (MagickTrue); + } + } + return (MagickFalse); +} + +/* +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% % +% % +% % % I n v o k e D e l e g a t e % % % % % @@ -704,8 +770,11 @@ char *command, **commands, + linkedname[MaxTextExtent], + linkedinfoname[MaxTextExtent], filename[MaxTextExtent]; + const DelegateInfo *delegate_info; @@ -725,20 +794,40 @@ assert(image->signature == MagickSignature); if (image->debug != MagickFalse) (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); + linkedname[0]='\0'; + linkedinfoname[0]='\0'; temporary=(MagickBooleanType) (*image->filename == '\0'); if (temporary != MagickFalse) - if (AcquireUniqueFilename(image->filename) == MagickFalse) - { - ThrowFileException(exception,FileOpenError, - "UnableToCreateTemporaryFile",image->filename); - return(MagickFalse); - } + { + if (AcquireUniqueFilename(image->filename) == MagickFalse) + { + ThrowFileException(exception,FileOpenError, + "UnableToCreateTemporaryFile",image->filename); + return(MagickFalse); + } + } + else + { + (void) CopyMagickString(linkedname,image->filename,MaxTextExtent); + if (AcquireTemporarySymlink(image->filename,linkedname) == MagickFalse) + { + ThrowFileException(exception,FileOpenError, + "UnableToCreateTemporaryFile",image->filename); + return(MagickFalse); + } + } + (void) CopyMagickString(filename,image->filename,MaxTextExtent); delegate_info=GetDelegateInfo(decode,encode,exception); if (delegate_info == (DelegateInfo *) NULL) { if (temporary != MagickFalse) (void) RelinquishUniqueFileResource(image->filename); + else + { + unlink(image->filename); + (void) CopyMagickString(image->filename,linkedname,MaxTextExtent); + } (void) ThrowMagickException(exception,GetMagickModule(),DelegateError, "NoTagFound","`%s'",decode ? decode : encode); return(MagickFalse); @@ -749,12 +838,31 @@ { if (temporary != MagickFalse) (void) RelinquishUniqueFileResource(image->filename); + else + { + unlink(image->filename); + (void) CopyMagickString(image->filename,linkedname, + MaxTextExtent); + } ThrowFileException(exception,FileOpenError, "UnableToCreateTemporaryFile",image_info->filename); return(MagickFalse); } image_info->temporary=MagickTrue; } + else + { + (void) CopyMagickString(linkedinfoname,image_info->filename, + MaxTextExtent); + if (AcquireTemporarySymlink(image_info->filename,linkedinfoname) + == MagickFalse) + { + ThrowFileException(exception,FileOpenError, + "UnableToCreateTemporaryFile",image_info->filename); + return(MagickFalse); + } + } + if (delegate_info->mode != 0) if (((decode != (const char *) NULL) && (delegate_info->encode != (char *) NULL)) || @@ -795,6 +903,12 @@ (void) RelinquishUniqueFileResource(image_info->zero); if (temporary != MagickFalse) (void) RelinquishUniqueFileResource(image->filename); + else + { + unlink(image->filename); + (void) CopyMagickString(image->filename,linkedname, + MaxTextExtent); + } (void) ThrowMagickException(exception,GetMagickModule(), DelegateError,"DelegateFailed","`%s'",decode ? decode : encode); return(MagickFalse); @@ -822,6 +936,12 @@ (void) RelinquishUniqueFileResource(image_info->zero); if (temporary != MagickFalse) (void) RelinquishUniqueFileResource(image->filename); + else + { + unlink(image->filename); + (void) CopyMagickString(image->filename,linkedname, + MaxTextExtent); + } clone_info=DestroyImageInfo(clone_info); (void) ThrowMagickException(exception,GetMagickModule(), DelegateError,"DelegateFailed","`%s'",decode ? decode : encode); @@ -843,6 +963,18 @@ { if (temporary != MagickFalse) (void) RelinquishUniqueFileResource(image->filename); + else + { + unlink(image->filename); + (void) CopyMagickString(image->filename,linkedname, + MaxTextExtent); + } + if (*linkedinfoname) + { + unlink(image_info->filename); + (void) CopyMagickString(image_info->filename,linkedinfoname, + MaxTextExtent); + } (void) ThrowMagickException(exception,GetMagickModule(), ResourceLimitError,"MemoryAllocationFailed","`%s'", decode ? decode : encode); @@ -895,6 +1027,18 @@ commands=(char **) RelinquishMagickMemory(commands); if (temporary != MagickFalse) (void) RelinquishUniqueFileResource(image->filename); + else + { + unlink(image->filename); + (void) CopyMagickString(image->filename,linkedname, + MaxTextExtent); + } + if (*linkedinfoname) + { + unlink(image_info->filename); + (void) CopyMagickString(image_info->filename,linkedinfoname, + MaxTextExtent); + } return((MagickBooleanType) (status == MagickFalse)); } only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/delegate.h +++ imagemagick-6.2.4.5/magick/delegate.h @@ -96,6 +96,9 @@ extern MagickExport long GetDelegateMode(const DelegateInfo *); +extern MagickExport unsigned int + AcquireTemporarySymlink(char *, const char *); + extern MagickExport MagickBooleanType InvokePostscriptDelegate(const MagickBooleanType,const char *), InvokeDelegate(ImageInfo *,Image *,const char *,const char *,ExceptionInfo *), only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/display.c +++ imagemagick-6.2.4.5/magick/display.c @@ -1841,10 +1841,7 @@ image_number=0; last_image=0; last_scene=0; - image_marker=(unsigned long *) - AcquireMagickMemory((argc+1)*sizeof(*image_marker)); - for (i=0; i <= argc; i++) - image_marker[i]=(unsigned long) argc; + image_marker=(unsigned long *) NULL; option=(char *) NULL; pend=MagickFalse; resource_database=(XrmDatabase) NULL; @@ -1852,9 +1849,6 @@ server_name=(char *) NULL; state=0; status=MagickTrue; - if (image_marker == (unsigned long *) NULL) - ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed", - strerror(errno)); /* Check for server name specified on the command line. */ @@ -1863,6 +1857,13 @@ if (status == MagickFalse) ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed", strerror(errno)); + image_marker=(unsigned long *) + AcquireMagickMemory((argc+1)*sizeof(*image_marker)); + for (i=0; i <= argc; i++) + image_marker[i]=(unsigned long) argc; + if (image_marker == (unsigned long *) NULL) + ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed", + strerror(errno)); for (i=1; i < (long) argc; i++) { /* @@ -1983,7 +1984,7 @@ /* Form filename for multi-part images. */ - (void) FormatMagickString(filename,MaxTextExtent, + (void) FormatMagickStringNumeric(filename,MaxTextExtent, image_info->filename,scene); if (LocaleCompare(filename,image_info->filename) == 0) (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu", only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/image.c +++ imagemagick-6.2.4.5/magick/image.c @@ -2869,25 +2869,8 @@ /* Rectify multi-image file support. */ - (void) CopyMagickString(filename,image_info->filename,MaxTextExtent); - for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%')) - { - char - *q; - - q=(char *) p+1; - if (*q == '0') - (void) strtol(q,&q,10); - if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x')) - { - char - format[MaxTextExtent]; - - (void) CopyMagickString(format,p,MaxTextExtent); - (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene); - break; - } - } + (void) FormatMagickStringNumeric(filename,MaxTextExtent, + image_info->filename,image_info->scene); if ((LocaleCompare(filename,image_info->filename) != 0) && (strchr(filename,'%') == (char *) NULL)) image_info->adjoin=MagickFalse; only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/log.c +++ imagemagick-6.2.4.5/magick/log.c @@ -914,8 +914,8 @@ char filename[MaxTextExtent]; - (void) FormatMagickString(filename,MaxTextExtent,log_info->filename, - log_info->generation % log_info->generations); + (void) FormatMagickStringNumeric(filename,MaxTextExtent, + log_info->filename,log_info->generation % log_info->generations); log_info->file=fopen(filename,"w"); if (log_info->file == (FILE *) NULL) { only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/methods.h +++ imagemagick-6.2.4.5/magick/methods.h @@ -47,6 +47,7 @@ #define AcquireSemaphoreInfo PrependMagickMethod(AcquireSemaphoreInfo) #define AcquireStringInfo PrependMagickMethod(AcquireStringInfo) #define AcquireString PrependMagickMethod(AcquireString) +#define AcquireTemporarySymlink PrependMagickMethod(AcquireTemporarySymlink) #define AcquireUniqueFilename PrependMagickMethod(AcquireUniqueFilename) #define AcquireUniqueFileResource PrependMagickMethod(AcquireUniqueFileResource) #define AdaptiveThresholdImage PrependMagickMethod(AdaptiveThresholdImage) only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/montage.c +++ imagemagick-6.2.4.5/magick/montage.c @@ -530,7 +530,7 @@ /* Form filename for multi-part images. */ - (void) FormatMagickString(filename,MaxTextExtent, + (void) FormatMagickStringNumeric(filename,MaxTextExtent, image_info->filename,scene); if (LocaleCompare(filename,image_info->filename) == 0) (void) FormatMagickString(filename,MaxTextExtent,"%s.%lu", only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/string.c +++ imagemagick-6.2.4.5/magick/string.c @@ -960,6 +960,75 @@ % % % % % % +% F o r m a t M a g i c k S t r i n g N u m e r i c % +% % +% % +% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +% Method FormatMagickStringNumeric formats output for a single numeric +% argument. It takes into account that the format string given might be +% untrusted user input, and returns the length of the formatted string. +% +% The format of the FormatMagickStringNumeric method is: +% +% long FormatMagickStringNumeric(char *string,const size_t length, +% const char *format,int value) +% +% A description of each parameter follows. +% +% o string: FormatMagickStringNumeric() returns the formatted string in this +% character buffer. +% +% o length: The maximum length of the string. +% +% o format: A string describing the format to use to write the numeric +% argument. Only the first numeric format identifier is replaced. +% +% o value: Numeric value to substitute into format string. +% +% +*/ +MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value) +{ + char + *p; + + (void) CopyMagickString(string, format, length); + + for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%')) + { + char + *q; + + q=(char *) p+1; + if (*q == '0') + (void) strtol(q,&q,10); + if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x')) + { + char + c; + + q++; + c=*q; + *q='\0'; + (void) snprintf(string+(p-format),length-(p-format),p,value); + *q=c; + (void) ConcatenateMagickString(string,q,length); + if (*(q-1) == '%') + p++; + else + break; + } + } + return (long)strlen(string); +} + +/* +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% % +% % +% % % F o r m a t M a g i c k S t r i n g % % % % % only in patch4: unchanged: --- imagemagick-6.2.4.5.orig/magick/string_.h +++ imagemagick-6.2.4.5/magick/string_.h @@ -60,6 +60,7 @@ magick_attribute((format (printf,3,4))), FormatMagickStringList(char *,const size_t,const char *,va_list) magick_attribute((format (printf,3,0))), + FormatMagickStringNumeric(char *,const size_t,const char *,int), LocaleCompare(const char *,const char *), LocaleNCompare(const char *,const char *,const size_t);
Tags added: fixed
Request was from Daniel Kobras <kobras@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Daniel Kobras <kobras@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #43 received at 345238@bugs.debian.org (full text, mbox, reply):
found 345238 4:5.4.4.5-1woody7 found 345238 6:6.0.6.2-2.5 thanks On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote: > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote: > > With some user interaction, this is exploitable through Gnus and > > Thunderbird. I think this warrants increasing the severity to > > "grave". > > Here's the vanilla fix from upstream SVN, stripped off whitespace changes. > I wonder why they've banned ` but still allow $(...), though. The security updates for woody and sarge (DSA-957) use a backport of upstream's fix without further modifications, ie. this hole can still be exploited through $(...) expansion. The following test case works on woody and sarge with the latest imagemagick security updates installed: % ls test$(touch boo).fig % display 'test$(touch boo).fig' File "test.fig" does not exist display: Delegate failed `"fig2dev" -L ps "%i" "%o"'. % ls boo test$(touch boo).fig Regards, Daniel.
Bug marked as found in version 4:5.4.4.5-1woody7.
Request was from Daniel Kobras <kobras@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as found in version 6:6.0.6.2-2.5.
Request was from Daniel Kobras <kobras@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #52 received at 345238@bugs.debian.org (full text, mbox, reply):
Daniel Kobras wrote: > found 345238 4:5.4.4.5-1woody7 > found 345238 6:6.0.6.2-2.5 > thanks > > On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote: > > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote: > > > With some user interaction, this is exploitable through Gnus and > > > Thunderbird. I think this warrants increasing the severity to > > > "grave". > > > > Here's the vanilla fix from upstream SVN, stripped off whitespace changes. > > I wonder why they've banned ` but still allow $(...), though. > > The security updates for woody and sarge (DSA-957) use a backport of > upstream's fix without further modifications, ie. this hole can still be > exploited through $(...) expansion. The following test case works on > woody and sarge with the latest imagemagick security updates installed: > > % ls > test$(touch boo).fig > % display 'test$(touch boo).fig' > File "test.fig" does not exist > display: Delegate failed `"fig2dev" -L ps "%i" "%o"'. > % ls > boo test$(touch boo).fig Gnah. You are correct. I'm extending the list of forbidden characters by $(). Thanks, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Daniel Kobras <kobras@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #57 received at 345238@bugs.debian.org (full text, mbox, reply):
On Fri, Jan 27, 2006 at 10:32:51PM +0100, Martin Schulze wrote: > Daniel Kobras wrote: > > On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote: > > > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote: > > > > With some user interaction, this is exploitable through Gnus and > > > > Thunderbird. I think this warrants increasing the severity to > > > > "grave". > > > > > > Here's the vanilla fix from upstream SVN, stripped off whitespace changes. > > > I wonder why they've banned ` but still allow $(...), though. > > > > The security updates for woody and sarge (DSA-957) use a backport of > > upstream's fix without further modifications, ie. this hole can still be > > exploited through $(...) expansion. The following test case works on > > woody and sarge with the latest imagemagick security updates installed: > > > > % ls > > test$(touch boo).fig > > % display 'test$(touch boo).fig' > > File "test.fig" does not exist > > display: Delegate failed `"fig2dev" -L ps "%i" "%o"'. > > % ls > > boo test$(touch boo).fig > > Gnah. You are correct. I'm extending the list of forbidden characters > by $(). Upstream has reverted the blacklist and instead went for an improved version of the symlink fix I added to ImageMagick in unstable. The patch is more involved, but also more robust and doesn't impose limits on allowed filenames. If you're interested I can extract the changes from upstream SVN. Regards, Daniel.
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #62 received at 345238@bugs.debian.org (full text, mbox, reply):
Daniel Kobras wrote: > > Gnah. You are correct. I'm extending the list of forbidden characters > > by $(). > > Upstream has reverted the blacklist and instead went for an improved > version of the symlink fix I added to ImageMagick in unstable. The patch > is more involved, but also more robust and doesn't impose limits on > allowed filenames. If you're interested I can extract the changes from > upstream SVN. I've sen your patch and decided against it since it is quite intrusive. The blacklist approach should be sufficient for the updates in our stable releases. Regards, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Daniel Kobras <kobras@debian.org>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #67 received at 345238@bugs.debian.org (full text, mbox, reply):
On Fri, Jan 27, 2006 at 10:59:34PM +0100, Martin Schulze wrote: > Daniel Kobras wrote: > > > Gnah. You are correct. I'm extending the list of forbidden characters > > > by $(). > > > > Upstream has reverted the blacklist and instead went for an improved > > version of the symlink fix I added to ImageMagick in unstable. The patch > > is more involved, but also more robust and doesn't impose limits on > > allowed filenames. If you're interested I can extract the changes from > > upstream SVN. > > I've sen your patch and decided against it since it is quite intrusive. > The blacklist approach should be sufficient for the updates in our stable > releases. Yes, but then '(' and ')' are quite commonly found in filenames, so someone might trip over this change. The previous fix for CAN-2005-0397 already partially broke support for movies and multi-layered images, so I'm not that happy seeing even more functionality taken away. Hm, how about we go with the quick fix for now, and I'll prepare a slightly more complex but less user-visible patch for proposed-updates that you can review later with your SRM hat on? Regards, Daniel.
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>
:
Bug#345238
; Package imagemagick
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>
.
(full text, mbox, link).
Message #72 received at 345238@bugs.debian.org (full text, mbox, reply):
Daniel Kobras wrote: > On Fri, Jan 27, 2006 at 10:59:34PM +0100, Martin Schulze wrote: > > Daniel Kobras wrote: > > > > Gnah. You are correct. I'm extending the list of forbidden characters > > > > by $(). > > > > > > Upstream has reverted the blacklist and instead went for an improved > > > version of the symlink fix I added to ImageMagick in unstable. The patch > > > is more involved, but also more robust and doesn't impose limits on > > > allowed filenames. If you're interested I can extract the changes from > > > upstream SVN. > > > > I've sen your patch and decided against it since it is quite intrusive. > > The blacklist approach should be sufficient for the updates in our stable > > releases. > > Yes, but then '(' and ')' are quite commonly found in filenames, so > someone might trip over this change. The previous fix for CAN-2005-0397 I've decided that they're not dangerous on their own, but only the $ sign, so the patch doesn't touch () at all. Regards, Joey -- Computers are not intelligent. They only think they are. Please always Cc to me when replying to me on the lists.
Message #75 received at 345238-submitter@bugs.debian.org (full text, mbox, reply):
Hi, You should have recently received (or will soon receive) an e-mail telling you that I've closed Debian bug #345238 in the imagemagick package, which you reported. Due to the fact that the package was uploaded by someone who does not normally do so, the bug was marked as "fixed" rather than closed. Debian's bug tracking system now allows for this information to be recorded in a more useful manner, enabling these bugs to be closed. Due to the volume of bugs affected by this change, we are unfortunately not sending individualized explanations for each bug. If you have questions about the fix for your particular bug or about this email, please contact me directly or follow up to the bug report in the Debian BTS. [It's possible you may receive multiple messages stating that the bug was fixed in several different versions of the package. There are two common reasons for this: - the bug was fixed in one version but subsequently found to exist in a later version - the bug existed in multiple distributions (for instance, "unstable" and "stable") and was thus fixed in a separate upload to each distribution ] Regards, Adam
Bug marked as fixed in version 6:6.2.4.5-0.6, send any further explanations to Florian Weimer <fw@deneb.enyo.de>
Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 4:5.4.4.5-1woody8, send any further explanations to Florian Weimer <fw@deneb.enyo.de>
Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 6:6.0.6.2-2.6, send any further explanations to Florian Weimer <fw@deneb.enyo.de>
Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
to control@bugs.debian.org
.
(full text, mbox, link).
Message #84 received at 345238-submitter@bugs.debian.org (full text, mbox, reply):
Hi, You should have recently received (or will soon receive) an e-mail telling you that I've closed Debian bug #345238 in the imagemagick package, which you reported. Due to the fact that the package was uploaded by someone who does not normally do so, the bug was marked as "fixed" rather than closed. Debian's bug tracking system now allows for this information to be recorded in a more useful manner, enabling these bugs to be closed. Due to the volume of bugs affected by this change, we are unfortunately not sending individualized explanations for each bug. If you have questions about the fix for your particular bug or about this email, please contact me directly or follow up to the bug report in the Debian BTS. [It's possible you may receive multiple messages stating that the bug was fixed in several different versions of the package. There are two common reasons for this: - the bug was fixed in one version but subsequently found to exist in a later version - the bug existed in multiple distributions (for instance, "unstable" and "stable") and was thus fixed in a separate upload to each distribution ] Regards, Adam
Message #87 received at 345238-submitter@bugs.debian.org (full text, mbox, reply):
Hi, You should have recently received (or will soon receive) an e-mail telling you that I've closed Debian bug #345238 in the imagemagick package, which you reported. Due to the fact that the package was uploaded by someone who does not normally do so, the bug was marked as "fixed" rather than closed. Debian's bug tracking system now allows for this information to be recorded in a more useful manner, enabling these bugs to be closed. Due to the volume of bugs affected by this change, we are unfortunately not sending individualized explanations for each bug. If you have questions about the fix for your particular bug or about this email, please contact me directly or follow up to the bug report in the Debian BTS. [It's possible you may receive multiple messages stating that the bug was fixed in several different versions of the package. There are two common reasons for this: - the bug was fixed in one version but subsequently found to exist in a later version - the bug existed in multiple distributions (for instance, "unstable" and "stable") and was thus fixed in a separate upload to each distribution ] Regards, Adam
Message #90 received at 345238-submitter@bugs.debian.org (full text, mbox, reply):
Hi, You should have recently received (or will soon receive) an e-mail telling you that I've closed Debian bug #345238 in the imagemagick package, which you reported. Due to the fact that the package was uploaded by someone who does not normally do so, the bug was marked as "fixed" rather than closed. Debian's bug tracking system now allows for this information to be recorded in a more useful manner, enabling these bugs to be closed. Due to the volume of bugs affected by this change, we are unfortunately not sending individualized explanations for each bug. If you have questions about the fix for your particular bug or about this email, please contact me directly or follow up to the bug report in the Debian BTS. [It's possible you may receive multiple messages stating that the bug was fixed in several different versions of the package. There are two common reasons for this: - the bug was fixed in one version but subsequently found to exist in a later version - the bug existed in multiple distributions (for instance, "unstable" and "stable") and was thus fixed in a separate upload to each distribution ] Regards, Adam
Reply sent to Daniel Kobras <kobras@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #95 received at 345238-close@bugs.debian.org (full text, mbox, reply):
Source: imagemagick Source-Version: 7:6.2.4.5.dfsg1-1 We believe that the bug you reported is fixed in the latest version of imagemagick, which is due to be installed in the Debian FTP archive: imagemagick_6.2.4.5.dfsg1-1.diff.gz to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.diff.gz imagemagick_6.2.4.5.dfsg1-1.dsc to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.dsc imagemagick_6.2.4.5.dfsg1-1_i386.deb to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1_i386.deb libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb libmagick9_6.2.4.5.dfsg1-1_i386.deb to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-1_i386.deb perlmagick_6.2.4.5.dfsg1-1_i386.deb to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 345238@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Kobras <kobras@debian.org> (supplier of updated imagemagick package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 28 Apr 2007 18:00:10 +0200 Source: imagemagick Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a Architecture: source i386 Version: 7:6.2.4.5.dfsg1-1 Distribution: unstable Urgency: high Maintainer: Luciano Bello <luciano@linux.org.ar> Changed-By: Daniel Kobras <kobras@debian.org> Description: imagemagick - Image manipulation programs libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme libmagick++9c2a - The object-oriented C++ API to the ImageMagick library libmagick9 - Image manipulation library libmagick9-dev - Image manipulation library -- development perlmagick - A perl interface to the libMagick graphics routines Closes: 214623 317083 318176 325651 325720 330666 333616 335111 339548 340401 344997 345238 345595 345876 347486 349264 351498 352575 358148 360362 360400 364826 381831 383314 383314 385062 386964 393025 395830 398183 401047 404477 410435 412945 417237 418057 419274 420353 Changes: imagemagick (7:6.2.4.5.dfsg1-1) unstable; urgency=high . * New maintainers. * debian/compat: Splice debhelper version out of debian/rules into separate file (but don't bump version). * debian/control: Adjust jasper dependencies to current package names. Closes: #419274, #420353 * Documentation minors improvements: - Manpages says SEE ALSO, not SEE-ALSO. Closes: #333616 - Escaped specials chars in manpages. Closes: #381831 - External reference in convert(1). Closes: #398183 - "isplay", "perferred", "similiar" and "morify.html" typos fixed. Closes: #386964, #351498, #395830 - ImageMagick(1) indentation. Closes: #335111 - "convert -help" duplicated line fixes. Closes: #339548 - Typo in description of --resize command fixed. Closes: #364826 * Magick++/lib/Image.cpp: Include cstdlib header to fix build failure with gcc 4.3. Patch thanks to Martin Michlmayr. Closes: #417237 * coders/dcm.c: Fix integer overflow in DCM coder. (CVE-2007-1797) Closes: #418057 * coders/icon.c: Fix segfault in ICON coder. * coders/pcx.c: Fix heap overflow in PCX coder. * coders/pict.c: Fix multiple segfaults in PICT coder. * coders/png.c: Fix segfault in PNG coder. * coders/pnm.c: Fix segfault in PNM coder. * coders/sgi.c: Fix segfault in SGI coder. * coders/sun.c: Fix segfault during conversion in SUN coder. * coders/viff.c: Prevent heap corruption in VIFF coder. * coders/xwd.c: Fix segfault during conversion in XWD coder. * coders/xwd.c: Fix multiple integer overflows in XWD coder. (CVE-2007-1667, CVE-2007-1797) * The above fixes collectively address the following bug report: Closes: #412945 * config/delegates.xml.in: Lose obsolete option -3 to dcraw delegate to unbreak support for raw digital images. Closes: #404477 . imagemagick (7:6.2.4.5.dfsg1-0.14) unstable; urgency=high . * Non-maintainer upload. * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456. Avoid bogus second read in macro call. Patch thanks to Vladimir Nadvornik. (CVE-2007-0770) Closes: #410435 . imagemagick (7:6.2.4.5.dfsg1-0.13) unstable; urgency=high . * Non-maintainer upload. * coders/png.c: Fix amd64 build failure with recent libpng versions. Closes: #401047 * debian/control: Tighten libpng12-dev build-dependency to exclude versions that are known to fail to link even with the above fix in place. . imagemagick (7:6.2.4.5.dfsg1-0.12) unstable; urgency=high . * Non-maintainer upload. * debian/control: Add build dependency on libxt-dev and pkg-config to make dependency list deterministic. * debian/control: libmagick9-dev depends on libxt-dev. . imagemagick (7:6.2.4.5.dfsg1-0.11) unstable; urgency=high . * Non-maintainer upload. * coders/dcm.c, coders/palm.c: Fix buffer overflows in DCM and Palm coders. Patches thanks to M Joonas Pihlaja. Closes: #393025 * coders/sgi.c: Put back missing initialisation of loop variable that was erroneously removed in fix for CVE-2006-4144. Spotted by Martin Pitt. Closes: #383314 * coders/sgi.c: Fix off-by-one error in boundary check causing slightly garbled image output. Also introduced in fix for for CVE-2006-4144. * coders/xpm.c: Do not gratuitously limit the allowed number of bytes per pixel. Patch thanks to Jens Seidel. Closes: #358148 * magick/display.c: Fix NULL pointer dereference in display's "Visual Directory". Patch thanks to Frédéric Bothamy. Closes: #360400 * utilities/ImageMagick.1.in: Replace UTF-8 encoded characters with latin1 equivalents to placate lintian. * debian/control: perlmagick provides libimage-magick-perl to comply with Perl policy. Closes: #317083 * debian/control: Add gs-gpl build dependency, used in testsuite. * debian/control: Tries hard to comply with version 3.7.2 of Debian policy. * debian/rules: Eliminate -l entries that slipped into --ldflags output. They're already present in --libs anyway. Closes: #340401 * debian/rules: Run the testsuite, but don't treat failures as fatal errors for now. * debian/rules: At configure time, change X11 search paths to X11R7 locations. * debian/rules: Remove duplicate of license file from imagemagick package. . imagemagick (7:6.2.4.5.dfsg1-0.10) unstable; urgency=high . * Non-Maintainer Upload * Fix buffer overflow in SGI parser [CVE-2006-4144] (closes: #383314) Thanks to Daniel Kobras * Fix double free in ICC profile in PerlMagick (closes: #349264) * Fix incomaptibility with graphviz >= 2.8 and build-depend on an appropriate version (closes: #360362) * Fix XCF and Sun Raster File buffer overflows [CVE-2006-3743/-3744] (closes: #385062) . imagemagick (7:6.2.4.5.dfsg1-0.9) unstable; urgency=low . * Non-Maintainer Upload * Remove all instances of the imagemagick logo from the original sourcefile and repack. (closes: #214623) * Add back the free logo patch * Add clean-tarball rule to accomplish this * Change the copyright file to indicate that the logo is no longer included, and indiciate that the included logo is actually text saying "imagemagick" with the Debian open use logo. . imagemagick (7:6.2.4.5-0.8) unstable; urgency=low . * Non-maintainer upload. * Back to 6.2.4.5 as requested by the release team to maintain binary compatibility. Bumped epoch once more. . imagemagick (6:6.2.6.7-1) unstable; urgency=low . * New upstream version. . imagemagick (6:6.2.4.5-0.7) unstable; urgency=high . * Non-maintainer upload. * coders/url.c: Do not treat local file:// URIs as temporary files that are removed after reading. Closes: #352575 . imagemagick (6:6.2.4.5-0.6) unstable; urgency=high . * Non-maintainer upload. * magick/display.c: In DisplayImageCommand(), expand command line before allocating ressources based on argc. Patch and analysis thanks to Eero Häkkinen. Closes: #345595 * magick/{animate.c,blob.c,display.c,image.c,log.c,montage.c,string.c, string_.h}: Implement new utility function FormatMagickStringNumeric() to securely expand a user-supplied format string with a single numeric argument. Adjust code to use this function where appropriate. (CVE-2006-0082) Closes: #345876 * coders/pdf.c,coders/ps.c,magick/delegate.c,magick/delegate.h, magick/methods.h: Do not call external delegates with user-supplied filename, but with securely named symlinks only to prevent shell command injection (CVE-2005-4601). Closes: #345238 * debian/rules: Make sure to include trailing spaces in multi-line commands to keep recent make happy. Cures problems with ghostscript font path. Fix thanks to Jeff Lessem. Closes: #347486 * debian/imagemagick.mime: Rather than autodetect the type of an image, derive it from the mime type. As a side effect, this change allows to use arbitrary filenames with the 'see' command, even if they have special meaning to imagemagick internally. Also clean up some typos and superfluous entries once we're at it. Closes: #344997 . imagemagick (6:6.2.4.5-0.5) unstable; urgency=low . * Another NMU to complete the installability fixes from 6:6.2.4.5-0.4. * Adjust libmagick9-dev dependencies to account for the removal of xlibs-dev from unstable, and bring them in line with build-deps. . imagemagick (6:6.2.4.5-0.4) unstable; urgency=low . * Non-maintainer upload to resolve buildability/installability. * debian/{control,rules}: Disable DPS support, which is no longer shipped in Xorg 6.9/7.0 (and was making us both FTBFS and uninstallable in sid) * debian/control: explicitely build-depend on libxext-dev, since we both test for and use it directly, rather than indirectly. . imagemagick (6:6.2.4.5-0.3) unstable; urgency=low . * Non-maintainer upload. * debian/control: Rename libmagick++9 to libmagick++9c2a, following a C++ ABI transition. Conflicts with and Replaces old version. * debian/*: Rename various debhelper support files due to above name change. . imagemagick (6:6.2.4.5-0.2) unstable; urgency=medium . * Non-maintainer upload. * debian/control: libmagick9-dev Conflicts/Replaces libmagick6-dev. Likewise for libmagick++9-dev. Closes: #330666 * debian/control: Provide unversioned libmagick-dev and libmagick++-dev and conflict/replace them for future-proof handling of soname bumps. . imagemagick (6:6.2.4.5-0.1) unstable; urgency=low . * Non-maintainer upload. * New upstream version. + Yet another bump of the soname version, this time going from 7 to 9. * debian/*: Cater for soname change and corresponding change of library packages names in multiple places. . imagemagick (6:6.2.4.4-0.1) experimental; urgency=low . * Non-maintainer upload. * New upstream version. + Version in library soname was increased from 6 to 7 due to changes in binary interface starting with 6.0.7. (Yes, this should have happened earlier.) Closes: #318176, #325651, #325720 * debian/*: Rename packages from libmagick6 to libmagick7, and similar. Adjust version in various places accordingly. Drop c2 suffix from C++ library package. * debian/control: Use shlibs information to generate Depends line for imagemagick binary package. * debian/control: Remove Pre-Depends on prehistoric version of dpkg. * debian/control: Package complies with policy version 3.6.2. Bump Standards-Version accordingly. * Patches to upstream sources: + [bin/Magick++-config.1.debdiff] Stray file that seems to have slipped into the previous Debian diffs by mistake. Removed now. + [magick/blob.c] Originally a patch from upstream, now mostly merged. Retaining a single hunk that upstream reverted later on, though it still looks correct. + [configure.ac, configure] Override location of documentation files to Debian's default /usr/share/doc/imagemagick. Patch to configure was present before. This release promotes it back to configure.ac as well. (No ill effects because AM_MAINTAINER_MODE is used.) + [coders/magick.c] Drop patch that exchanges upstream's logo for a DFSG-free version. This attempt to address #214623 (distribution of non-free logo) missed several other instances of the logo, must be applied to the orig.tar.gz rather than the Debian diff, and should have some input from upstream, so no point in carrying it around still. Files: 289dcca20cabdc8279e324acfbd5739e 1047 graphics optional imagemagick_6.2.4.5.dfsg1-1.dsc 2c5d3723d25c4119cf003efce2161c56 5203463 graphics optional imagemagick_6.2.4.5.dfsg1.orig.tar.gz f7f59b4cd2bd6292c84cc1a922cb3191 98891 graphics optional imagemagick_6.2.4.5.dfsg1-1.diff.gz ed785393f73321c39045a2cfca3c4bcc 739222 graphics optional imagemagick_6.2.4.5.dfsg1-1_i386.deb 03fcdd0be6ac45461187f443c2cdee30 1270866 libs optional libmagick9_6.2.4.5.dfsg1-1_i386.deb 8f082a61b40f4117ac245bfc24203fcf 1578224 libdevel optional libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb be8022b4e8d154339e9e471c11f3af38 176368 libs optional libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb aa5279c10479f169fdd0057e2a1cba01 227988 libdevel optional libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb f4807e698dc13e1bb46fe5c3e48c2dbd 168080 perl optional perlmagick_6.2.4.5.dfsg1-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFGNiompOKIA4m/fisRAlQ5AJ4rul+sr6wTCvZzTo+azk3g0yKMfACgyGeT uFkhOZ7y6MlMxNtiZ8wB0No= =pe/9 -----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 06:48:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.