|
Line
Link Here
|
|
The imagemagick libmagick library 5.5 and earlier creates temporary |
|
The imagemagick libmagick library 5.5 and earlier creates temporary |
| 1 |
files insecurely, which allows local users to create or overwrite |
1 |
files insecurely, which allows local users to create or overwrite |
| 2 |
arbitrary files. |
2 |
arbitrary files. |
| 3 |
-- magick/utility.c |
3 |
++ magick/utility.c |
|
Lines 2644-2651
Link Here
|
| 2644 |
% name is returned in this array. |
2644 |
% name is returned in this array. |
| 2645 |
% |
2645 |
% |
| 2646 |
*/ |
2646 |
*/ |
|
|
2647 |
|
| 2648 |
/* Attention: this creates an additional |
| 2649 |
* intermediate directory for security reasons, |
| 2650 |
* but unfortunately it is never deleted. |
| 2651 |
*/ |
| 2652 |
static void TemporaryFilenameHelper(char *, char *); |
| 2647 |
MagickExport void TemporaryFilename(char *path) |
2653 |
MagickExport void TemporaryFilename(char *path) |
| 2648 |
{ |
2654 |
{ |
|
|
2655 |
static char *mSafeTmpdir = NULL; |
| 2656 |
char *name; |
| 2657 |
struct passwd *pwd; |
| 2658 |
struct stat st; |
| 2659 |
char *tmpdir = getenv("TMPDIR"); |
| 2660 |
if (tmpdir == NULL) |
| 2661 |
tmpdir = P_tmpdir; |
| 2662 |
|
| 2663 |
pwd = getpwuid (getuid ()); |
| 2664 |
|
| 2665 |
if (mSafeTmpdir == NULL) { |
| 2666 |
FormatString(path, "%s/magick-%s", tmpdir, pwd->pw_name); |
| 2667 |
|
| 2668 |
if (lstat (path, &st) == 0) { |
| 2669 |
if (S_ISDIR (st.st_mode) && |
| 2670 |
st.st_uid == getuid () && |
| 2671 |
chmod (path, 0700) == 0) { |
| 2672 |
|
| 2673 |
mSafeTmpdir = strdup(path); |
| 2674 |
} |
| 2675 |
else |
| 2676 |
MagickFatalError(ResourceLimitFatalError,"TempDirHasWrongPermissions",path); |
| 2677 |
} else { |
| 2678 |
if (mkdir(path, S_IRWXU) == 0) { |
| 2679 |
mSafeTmpdir = strdup(path); |
| 2680 |
} |
| 2681 |
else |
| 2682 |
MagickFatalError(ResourceLimitFatalError,"CantCreateTempDir",path); |
| 2683 |
} |
| 2684 |
} |
| 2685 |
path[0] = '\0'; |
| 2686 |
if (mSafeTmpdir == NULL) |
| 2687 |
return; |
| 2688 |
|
| 2689 |
TemporaryFilenameHelper(path, mSafeTmpdir); |
| 2690 |
} |
| 2691 |
|
| 2692 |
static void TemporaryFilenameHelper(char *path, char *mSafeTmpdir) |
| 2693 |
{ |
| 2649 |
#define RandomKeyExtent 6 |
2694 |
#define RandomKeyExtent 6 |
| 2650 |
|
2695 |
|
| 2651 |
char |
2696 |
char |
|
Lines 2670-2693
Link Here
|
| 2670 |
/* |
2715 |
/* |
| 2671 |
Get temporary pathname. |
2716 |
Get temporary pathname. |
| 2672 |
*/ |
2717 |
*/ |
| 2673 |
(void) strcpy(path,"magic"); |
2718 |
(void) strcpy(path, mSafeTmpdir); |
| 2674 |
#if defined(vms) || defined(macintosh) |
2719 |
strncat(path, "/magick", MaxTextExtent-strlen(path)-1); |
| 2675 |
(void) tmpnam(path); |
|
|
| 2676 |
#else |
| 2677 |
{ |
| 2678 |
char |
| 2679 |
*name; |
| 2680 |
|
2720 |
|
| 2681 |
name=(char *) tempnam((char *) NULL,path); |
|
|
| 2682 |
if (name == (char *) NULL) |
| 2683 |
(void) tmpnam(path); |
| 2684 |
else |
| 2685 |
{ |
| 2686 |
(void) strncpy(path,name,MaxTextExtent-1); |
| 2687 |
LiberateMemory((void **) &name); |
| 2688 |
} |
| 2689 |
} |
| 2690 |
#endif |
| 2691 |
/* |
2721 |
/* |
| 2692 |
Add salt to strengthen weak tmpnam()/tempnam() implementations. |
2722 |
Add salt to strengthen weak tmpnam()/tempnam() implementations. |
| 2693 |
*/ |
2723 |
*/ |