Re: New vulnerabilty in imagemagick

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/07/2013 06:57 AM, Bastien ROUCARIES wrote:
> Hi,
>
> Imagemagick url coder is affected by a NULL deference trigerrable
> by user
>
> It only occurs when you use a URL as an image filename and you
> can't write to the temporary directory which is typically /tmp or
> whereever MAGICK_TMPDIR env variable points.
>
> As the debian mainteners I believe this is a security (minor) bug
> that could lead to local dos at least.
>
> Upstream bug is here 
> http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=23117
>
>  Could you please open a candidate CVE number ?
>
> Patch here fix the bug.

I'm not seeing any way to trigger this vulnerability reliably (you
can't send a mangled image, you have to fill up /tmp or something).
Also the DOS is simply the program can't open the file. Am I missing
something?


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRYxJBAAoJEBYNRVNeJnmTrPgQAKj5T+c11EB/DqF1KCr2JgoG
BBAJu7JpfTtH+vqZVc6CXySFNOZXrVVzQ66LUmiyyPFvsNIHFgaD58YW3+a3dLuS
4i1lkvjpMRZ2qoGFad86FwsejWIgUuxeC8Y4VxCssqSxfD35YAE6QP2a/hX+kCv+
T/eYWb1hR2rHGSAb6d+5QWKr+R/wonpR9QfykM1pbbdp1kUFlmaosL+GwZOk6Ps/
m/vvyUyUN8gTmNYCdn0inMQslAUAQlFwSjhyNRIkn/5mxJIYPltTGMnRtT5hRo0R
gQ9ly6X7ICaVEqU6+SgR77gNNxm3pAhEv5OE6koyqiRWgtQmCrC3UYFsy1ryrnyz
ObfsuM8vIMQh2fVkR094dby/4kMv3mP1alWtQMg8F7AggplbGAko9i5jlD6GL6XJ
yauMcRJ+tGwAaJlx+I2CiwkxxgMNMXBjJUzfRxMoRbRAGHKsWDzk4AfqWZfSF/sr
9E111bRls1ph3PqE1NhHc7ZX6KBaeUuOHIstvcsm5FJtR3nPan0QwcDQu5bQL1ZN
Pi2VGImhL1cPvKFWw5gANnTRoEFXNp+S4sk4TWQY3a/P8Aenzpia4wAjzV47zETo
BuP07lz44xAT7PhMxyViqDkN/gCQZNpr6Vm14UKoF7OuzP+5qBQ4oP4cigAOdX+9
aUosZhVuRQbc5/ht+akK
=rJMU
-----END PGP SIGNATURE-----