Bug 98827 - CAN-2003-0455 ImageMagick temporary file handling vulnerability
CAN-2003-0455 ImageMagick temporary file handling vulnerability
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: ImageMagick (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Matthias Clasen
Mike McLean
http://cve.mitre.org/cgi-bin/cvename....
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-07-09 06:59 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-20 13:04:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch from OpenPKG for this issue (1.45 KB, patch)
2004-09-23 05:29 EDT, Mark J. Cox (Product Security)
no flags Details | Diff
corrected patch for tmpname issue (5.55 KB, patch)
2004-11-13 15:55 EST, Michal Jaegermann
no flags Details | Diff
another version of "not leaving droppings tmpname" patch (5.34 KB, patch)
2004-11-14 02:00 EST, Michal Jaegermann
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2003-07-09 06:59:27 EDT
According to the CVE database; the imagemagick libmagick library 5.5 and earlier
creates temporary files insecurely, which allows local users to create or
overwrite arbitrary files.  Red Hat Enterprise Linux (2.1 all variants) shipped
with ImageMagick-5.3.8.
Comment 1 Mark J. Cox (Product Security) 2004-09-23 05:29:46 EDT
Created attachment 104171 [details]
Patch from OpenPKG for this issue
Comment 2 Josh Bressers 2004-10-20 15:13:58 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-494.html
Comment 3 Michal Jaegermann 2004-11-13 15:55:38 EST
Created attachment 106649 [details]
corrected patch for tmpname issue

A patch used in ImageMagick-5.3.8-5.src.rpm says in a comment:

/* Attention: this creates an additional 
 * intermediate directory for security reasons,
 * but unfortunately it is never deleted.
 */

Leaving such "leftovers" is a bug in itself.  Attached patch corrects
that not to such ghastly things on a normal exit.  It possibly can be
improved but it works.
Comment 4 Michal Jaegermann 2004-11-14 02:00:34 EST
Created attachment 106661 [details]
another version of "not leaving droppings tmpname" patch 

I believe that this variant is somewhat more elegant then the previous one.
Nothing concentrates mind like posting a code. :-)
Comment 5 David Eisenstein 2005-08-27 06:23:03 EDT
Should this bug be closed?  CAN-2003-0455 says that this was fixed in
<http://www.redhat.com/support/errata/RHSA-2004-494.html>, but that
page tells me that that it is outdated, and to look to 
<http://rhn.redhat.com/errata/RHSA-2005-480.html>....
Comment 6 Matthias Clasen 2005-09-20 13:04:03 EDT
The security issue has been fixed. I don't think the leftover directory issue
warrants a 2.1 update at this point.

Note You need to log in before you can comment on or make changes to this bug.