Self-tests affected by installed ImageMagick

[mi]

If the building system already has (an earlier) installation of ImageMagick, the PerlMagick's self tests will use that installation's modules, etc. instead of the just-built ones:

Code: Select all

t/jp2/read........ok 1/3/libexec/ld-elf.so.1: /opt/lib/ImageMagick/modules-Q16/coders/miff.so: Undefined symbol "ReadBlobStream"
....
t/read............/libexec/ld-elf.so.1: /opt/lib/ImageMagick/modules-Q16/coders/miff.so: Undefined symbol "ReadBlobStream"
...

The stuff under "/opt/lib" is older and should not even be looked at, while testing the just-built binaries... What can be done to fix this problem? Thanks!

[mi]

Ok, this appears to be due to a bug in module.c. It first looks into the MAGICK_CODER_MODULE_PATH environment variable, which magick.sh duly sets for the self-tests.

When it can not find the module there (when, for example, module support is turned off), however, it goes on to look into a directory, where the modules would be after this new build is installed.

When that directory is populated with the modules of an earlier version, conflicts arise. Unfortunately, module.c is too spaghetty-like for me to come up with a patch. But something needs to be done...

Thanks!

[magick]

We'll add a API version and quantum depth check on module in the next ImageMagick release so only compatible modules are loaded. Thanks for alerting us to the problem.

[mi]

We'll add a API version and quantum depth check on module in the next ImageMagick release so only compatible modules are loaded. Thanks for alerting us to the problem.

Thanks. That may not be enough, however -- even though it will solve some of the conflicts.

In my opinion, if the overwriting environment variable is found to be set, the compiled-in path should be ignored completely.

[magick]

Regression testing requires that ImageMagick be installed first before the tests are run for the "installed" version of ImageMagick (the default) or you can test with the "uninstalled" version which respects the environment variables. The installed version must pick up a delegate in the system path to prevent a potential security vulnerability.

[mi]

Regression testing requires that ImageMagick be installed first before the tests are run for the "installed" version of ImageMagick (the default) or you can test with the "uninstalled" version which respects the environment variables. The installed version must pick up a delegate in the system path to prevent a potential security vulnerability.

Well, I'm testing a not-yet-installed version to see, whether it can replace the already installed one. Even if the installed one has the same API-version and quantum, it still should not be used by the just-compiled version, that is being tested and has not been installed yet...

What "security vulnerability" is there, if none of the executables are suid? Please, outline the scenario, in which the current code would stop an exploit, but the changes I'm proposing would allow the exploit. Thanks!

[magick]

ImageMagick is utilized by a number of scripting environments such as PHP and Perl. A nefarious individual could inject an environment variable so ImageMagick loads a nefarious coder module that runs with the same user credentials as the scripting environment (e.g. apache).

[magick]

ImageMagick 6.3.6-0 is nearly ready for release. If you have a few minutes of spare time this week perhaps you could download it from ftp://magick.imagemagick.org/pub/ImageMagick/beta and let us know if there are any FreeBSD issues which hopefully we could resolve before we release it.

[mi]

ImageMagick is utilized by a number of scripting environments such as PHP and Perl. A nefarious individual could inject an environment variable so ImageMagick loads a nefarious coder module that runs with the same user credentials as the scripting environment (e.g. apache).

If such an individual has access to the apache-user's environment, he/she can simply alter the LD_LIBRARY_PATH or modify the necessary files directly.

Regardless, since -- as my testing proves -- the environment variables are being checked anyway, you are not protecting anyone

All I am saying is, if the environment variables are found, the compiled-in path should not be checked.

[magick]

If its an installed version, ImageMagick should only consult the built-in path. We specifically created an uninstalled version to respect the environment variables. So if respecting environment variables are important to you, use the uninstalled version of ImageMagick.