[Pkg-gmagick-im-team] Bug#601824: imagemagick: reads config files from cwd
Andreas Metzler
ametzler at downhill.at.eu.org
Sat Nov 6 18:03:41 UTC 2010
tags 601824 fixed-upstream patch
thanks
On 2010-10-30 "Nelson A. de Oliveira" <naoliv at debian.org> wrote:
> On Fri, Oct 29, 2010 at 11:43 PM, Jakub Wilk <jwilk at debian.org> wrote:
> > ImageMagick reads several configuration files[0] from the current working
> > directory. Unfortunately, this allows local attackers to execute arbitrary
> > code if ImageMagick is run from an untrusted directory.
> I have confirmed it here and forwarded upstream.
[...]
Hello Nelson,
This is already fixed upstream. Quoting 6.6.5-6 ChangeLog:
2010-10-30 6.6.5-5 Cristy <quetzlzacatenango at image...>
* Do not read configure files in the current directory for the "installed"
version of ImageMagick.
The fix (copy attached) is pretty short, I can make a NMU if you want
me to.
cu andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no_config_in_pwd.diff
Type: text/x-diff
Size: 923 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20101106/78994393/attachment.diff>
More information about the Pkg-gmagick-im-team
mailing list