Imagemagick url coder is affected by a NULL deference trigerrable by user
It only occurs when you use a URL as an image filename and you can't
write to the temporary directory which is typically /tmp or whereever
MAGICK_TMPDIR env variable points.
As a debian mainteners I believe this is a security (minor) bug that
could lead to local dos at least.
Upstream bug is here
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=23117
Patch below to fix the bug
From e5eb27d112e0a7181df44fb70c42633c2d1c9c74 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Fri, 5 Apr 2013 11:49:29 +0000
Subject: [PATCH] git-svn-id:
https://www.imagemagick.org/subversion/ImageMagick/trunk@11698
aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
---
coders/url.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/coders/url.c b/coders/url.c
index 19dbd73..abab351 100644
--- a/coders/url.c
+++ b/coders/url.c
@@ -153,12 +153,9 @@ static Image *ReadURLImage(const ImageInfo *image_info,ExceptionInfo *exception)
file=fdopen(unique_file,"wb");
if ((unique_file == -1) || (file == (FILE *) NULL))
{
- read_info=DestroyImageInfo(read_info);
- (void) CopyMagickString(image->filename,read_info->filename,
- MaxTextExtent);
ThrowFileException(exception,FileOpenError,"UnableToCreateTemporaryFile",
- image->filename);
- image=DestroyImageList(image);
+ read_info->filename);
+ read_info=DestroyImageInfo(read_info);
return((Image *) NULL);
}
(void) CopyMagickString(filename,image_info->magick,MaxTextExtent);
--
1.7.10.4
Bastien Roucaries
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information