REDHAT-BUG-652860
First published: Sat Nov 13 2010(Updated: )
A Debian bug report [1] indicated that ImageMagick would load configuration files from the current working directory, rather than just standard directories like ~/.magick/ or /usr/lib/ImageMagick-*/config/. If a user were to run certain ImageMagick programs, like the convert utility, from untrusted directories it could allow for the execution of arbitrary code as the user running the program. Upstream has corrected [2] this flaw is noted as being fixed in the 6.6.5-5 ChangeLog [3]. [1] <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824</a> [2] <a href="http://trac.imagemagick.org/changeset?new=3022%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c&old=2002%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c">http://trac.imagemagick.org/changeset?new=3022%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c&old=2002%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c</a> [3] <a href="http://trac.imagemagick.org/browser/ImageMagick/trunk/ChangeLog">http://trac.imagemagick.org/browser/ImageMagick/trunk/ChangeLog</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ImageMagick | <6.6.5-5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824
- http://trac.imagemagick.org/changeset?new=3022%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c&old=2002%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c
- http://trac.imagemagick.org/browser/ImageMagick/trunk/ChangeLog
- https://access.redhat.com/security/cve/CVE-2010-4167
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=653577
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=652860#c6
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=652860#c7
- https://rhn.redhat.com/errata/RHSA-2012-0301.html
- https://rhn.redhat.com/errata/RHSA-2012-0544.html
- https://bugzilla.redhat.com/show_bug.cgi?id=652860
Frequently Asked Questions
What is the severity of REDHAT-BUG-652860?
The severity of REDHAT-BUG-652860 is categorized based on potential security risks associated with loading configuration files from untrusted directories.
How do I fix REDHAT-BUG-652860?
To fix REDHAT-BUG-652860, ensure you run ImageMagick commands only from trusted directories and consider updating to a patched version if available.
Which versions of ImageMagick are affected by REDHAT-BUG-652860?
REDHAT-BUG-652860 affects ImageMagick versions prior to 6.6.5-5.
What type of vulnerability is identified in REDHAT-BUG-652860?
REDHAT-BUG-652860 identifies a security vulnerability related to the improper loading of configuration files.
Can REDHAT-BUG-652860 lead to unauthorized access?
Yes, REDHAT-BUG-652860 can potentially allow unauthorized access if malicious configuration files are executed.
- collector/redhat-bugzilla
- alias/CVE-2010-4167
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/imagemagick
- canonical/imagemagick