Comment 13 for bug 27767
Revision history for this message
|
|
#13 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
found 345238 4:5.4.4.5-1woody7
found 345238 6:6.0.6.2-2.5
thanks
On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote:
> On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote:
> > With some user interaction, this is exploitable through Gnus and
> > Thunderbird. I think this warrants increasing the severity to
> > "grave".
>
> Here's the vanilla fix from upstream SVN, stripped off whitespace changes.
> I wonder why they've banned ` but still allow $(...), though.
The security updates for woody and sarge (DSA-957) use a backport of
upstream's fix without further modifications, ie. this hole can still be
exploited through $(...) expansion. The following test case works on
woody and sarge with the latest imagemagick security updates installed:
% ls
test$(touch boo).fig
% display 'test$(touch boo).fig'
File "test.fig" does not exist
display: Delegate failed `"fig2dev" -L ps "%i" "%o"'.
% ls
boo test$(touch boo).fig
Regards,
Daniel.