OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 10-Jul-2003 16:22:49
Branch: HEAD Handle: 2003071015224801
Added files:
openpkg-web/security OpenPKG-SA-2003.034-imagemagick.txt
Modified files:
openpkg-web security.txt security.wml
Log:
SA-2003.034-imagemagick; CAN-2003-0455
Summary:
Revision Changes Path
1.40 +1 -0 openpkg-web/security.txt
1.56 +1 -0 openpkg-web/security.wml
1.1 +86 -0 openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
============================================================================
$ cvs diff -u -r1.39 -r1.40 security.txt
--- openpkg-web/security.txt 10 Jul 2003 09:54:16 -0000 1.39
+++ openpkg-web/security.txt 10 Jul 2003 14:22:48 -0000 1.40
@@ -1,3 +1,4 @@
+10-Jul-2003: Security Advisory: S<OpenPKG-SA-2003.034-imagemagick>
10-Jul-2003: Security Advisory: S<OpenPKG-SA-2003.033-infozip>
07-Jul-2003: Security Advisory: S<OpenPKG-SA-2003.032-php>
11-Jun-2003: Security Advisory: S<OpenPKG-SA-2003.031-gzip>
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
============================================================================
$ cvs diff -u -r1.55 -r1.56 security.wml
--- openpkg-web/security.wml 10 Jul 2003 09:54:16 -0000 1.55
+++ openpkg-web/security.wml 10 Jul 2003 14:22:48 -0000 1.56
@@ -78,6 +78,7 @@
</define-tag>
<box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">
<table cellspacing=0 cellpadding=0 border=0>
+ <sa 2003.034 imagemagick>
<sa 2003.033 infozip>
<sa 2003.032 php>
<sa 2003.031 gzip>
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.034-imagemagick.txt
============================================================================
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.034-imagemagick.txt
--- /dev/null 2003-07-10 16:22:49.000000000 +0200
+++ OpenPKG-SA-2003.034-imagemagick.txt 2003-07-10 16:22:49.000000000 +0200
@@ -0,0 +1,86 @@
+________________________________________________________________________
+
+OpenPKG Security Advisory The OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.034 10-Jul-2003
+________________________________________________________________________
+
+Package: imagemagick
+Vulnerability: create or overwrite files
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= imagemagick-5.5.6.0-20030409 >= imagemagick-5.5.7.0-20030512
+OpenPKG 1.2 <= imagemagick-5.5.3.2-1.2.0 >= imagemagick-5.5.3.2-1.2.1
+OpenPKG 1.1 <= imagemagick-5.4.8.2-1.1.0 >= imagemagick-5.4.8.2-1.1.1
+
+Affected Releases: Dependent Packages:
+OpenPKG CURRENT bar quux
+OpenPKG 1.2 bar quux
+OpenPKG 1.1 bar
+
+FIXME candidates
+ autotrace-0.31.1-20030707
+ tex4ht-20030119-20030707
+ wv-0.7.6-20030707
+
+Description:
+ According to a Debian security advisory [0] imagemagick's libmagick
+ [1] library, under certain circumstances, creates temporary files
+ without taking appropriate security precautions. This vulnerability
+ could be exploited by a local user to create or overwrite files with
+ the privileges of another user who is invoking a program using this
+ library. Research has shown that all versions of imagemagick before
+ 5.5.7.0 are affected. The Common Vulnerabilities and Exposures (CVE)
+ project assigned the id CAN-2003-0455 [2] to the problem.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm -q
+ imagemagick". If you have the "imagemagick" package installed and its
+ version is affected (see above), we recommend that you immediately
+ upgrade it (see Solution) and it's dependent packages (see above), if
+ any, too. [3][4]
+
+Solution:
+ Select the updated source RPM appropriate for your OpenPKG release
+ [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
+ location, verify its integrity [9], build a corresponding binary RPM
+ from it [3] and update your OpenPKG installation by applying the binary
+ RPM [4]. For the current release OpenPKG 1.2, perform the following
+ operations to permanently fix the security problem (for other releases
+ adjust accordingly).
+
+ $ ftp ftp.openpkg.org
+ ftp> bin
+ ftp> cd release/1.2/UPD
+ ftp> get imagemagick-5.5.3.2-1.2.1.src.rpm
+ ftp> bye
+ $ <prefix>/bin/rpm -v --checksig imagemagick-5.5.3.2-1.2.1.src.rpm
+ $ <prefix>/bin/rpm --rebuild imagemagick-5.5.3.2-1.2.1.src.rpm
+ $ su -
+ # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/imagemagick-5.5.3.2-1.2.1.*.rpm
+
+ Additionally, we recommend that you rebuild and reinstall
+ all dependent packages (see above), if any, too. [3][4]
+________________________________________________________________________
+
+References:
+ [0] http://www.debian.org/security/2003/dsa-331
+ [1] http://www.imagemagick.org/
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0455
+ [3] http://www.openpkg.org/tutorial.html#regular-source
+ [4] http://www.openpkg.org/tutorial.html#regular-binary
+ [5] ftp://ftp.openpkg.org/release/1.1/UPD/imagemagick-5.4.8.2-1.1.1.src.rpm
+ [6] ftp://ftp.openpkg.org/release/1.2/UPD/imagemagick-5.5.3.2-1.2.1.src.rpm
+ [7] ftp://ftp.openpkg.org/release/1.1/UPD/
+ [8] ftp://ftp.openpkg.org/release/1.2/UPD/
+ [9] http://www.openpkg.org/security.html#signature
+________________________________________________________________________
+
+For security reasons, this advisory was digitally signed with the
+OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the
+OpenPKG project which you can retrieve from http://pgp.openpkg.org and
+hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
+for details on how to verify the integrity of this advisory.
+________________________________________________________________________
+
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
