ImageMagick Delegate Code Multiple Utility Crafted File Name Arbitrary Shell Command Injection

2005-12-29T09:03:29
ID OSVDB:22121
Type osvdb
Reporter Florian Weimer(fw@deneb.enyo.de)
Modified 2005-12-29T09:03:29

Description

Vulnerability Description

Various ImageMagick utilities fail to correctly validate image file names. The issue is triggered when specially crafted shell commands are part of the file name provided. It is possible that the flaw may allow execution of arbitrary shell commands, resulting in a loss of integrity.

Technical Description

This vulnerability is only present for ImageMagick utilities which make use of the 'delegate' code and for graphics formats for which 'delegates' are defined, e.g. WMF.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by not using ImageMagick to open suspicious-looking file names.

Short Description

Various ImageMagick utilities fail to correctly validate image file names. The issue is triggered when specially crafted shell commands are part of the file name provided. It is possible that the flaw may allow execution of arbitrary shell commands, resulting in a loss of integrity.

Manual Testing Notes

$ cp /usr/lib/openoffice/share/template/en-US/wizard/bitmap/germany.wmf \ '" ; echo "Hi!" >&2; : "'.gif $ display '" ; echo "Hi!" >&2; : "'.gif

References:

Vendor URL: http://www.imagemagick.org/ Vendor Specific News/Changelog Entry: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345238 Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:18261 Secunia Advisory ID:19408 Secunia Advisory ID:19183 Secunia Advisory ID:18631 Secunia Advisory ID:23090 Secunia Advisory ID:18607 Secunia Advisory ID:18871 RedHat RHSA: RHSA-2006:0178 Other Advisory URL: http://www.debian.org/security/2006/dsa-957 Other Advisory URL: http://www.novell.com/linux/security/advisories/2006_06_sr.html Other Advisory URL: http://www.ubuntu.com/usn/usn-246-1 CVE-2005-4601 Bugtraq ID: 16093