Bug 98827 - CAN-2003-0455 ImageMagick temporary file handling vulnerability
Summary: CAN-2003-0455 ImageMagick temporary file handling vulnerability
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: ImageMagick
Version: 2.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Matthias Clasen
QA Contact: Mike McLean
URL: http://cve.mitre.org/cgi-bin/cvename....
Depends On:
TreeView+ depends on / blocked
Reported: 2003-07-09 10:59 UTC by Mark J. Cox
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2005-09-20 17:04:03 UTC

Attachments (Terms of Use)
Patch from OpenPKG for this issue (1.45 KB, patch)
2004-09-23 09:29 UTC, Mark J. Cox
no flags Details | Diff
corrected patch for tmpname issue (5.55 KB, patch)
2004-11-13 20:55 UTC, Michal Jaegermann
no flags Details | Diff
another version of "not leaving droppings tmpname" patch (5.34 KB, patch)
2004-11-14 07:00 UTC, Michal Jaegermann
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:494 normal SHIPPED_LIVE Important: ImageMagick security update 2004-10-20 04:00:00 UTC

Description Mark J. Cox 2003-07-09 10:59:27 UTC
According to the CVE database; the imagemagick libmagick library 5.5 and earlier
creates temporary files insecurely, which allows local users to create or
overwrite arbitrary files.  Red Hat Enterprise Linux (2.1 all variants) shipped
with ImageMagick-5.3.8.

Comment 1 Mark J. Cox 2004-09-23 09:29:46 UTC
Created attachment 104171 [details]
Patch from OpenPKG for this issue

Comment 2 Josh Bressers 2004-10-20 19:13:58 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Comment 3 Michal Jaegermann 2004-11-13 20:55:38 UTC
Created attachment 106649 [details]
corrected patch for tmpname issue

A patch used in ImageMagick-5.3.8-5.src.rpm says in a comment:

/* Attention: this creates an additional 
 * intermediate directory for security reasons,
 * but unfortunately it is never deleted.

Leaving such "leftovers" is a bug in itself.  Attached patch corrects
that not to such ghastly things on a normal exit.  It possibly can be
improved but it works.

Comment 4 Michal Jaegermann 2004-11-14 07:00:34 UTC
Created attachment 106661 [details]
another version of "not leaving droppings tmpname" patch 

I believe that this variant is somewhat more elegant then the previous one.
Nothing concentrates mind like posting a code. :-)

Comment 5 David Eisenstein 2005-08-27 10:23:03 UTC
Should this bug be closed?  CAN-2003-0455 says that this was fixed in
<http://www.redhat.com/support/errata/RHSA-2004-494.html>, but that
page tells me that that it is outdated, and to look to 

Comment 6 Matthias Clasen 2005-09-20 17:04:03 UTC
The security issue has been fixed. I don't think the leftover directory issue
warrants a 2.1 update at this point.

Note You need to log in before you can comment on or make changes to this bug.