Comment 14 for bug 27767
Revision history for this message
|
|
#14 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Daniel Kobras wrote:
> found 345238 4:5.4.4.5-1woody7
> found 345238 6:6.0.6.2-2.5
> thanks
>
> On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote:
> > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote:
> > > With some user interaction, this is exploitable through Gnus and
> > > Thunderbird. I think this warrants increasing the severity to
> > > "grave".
> >
> > Here's the vanilla fix from upstream SVN, stripped off whitespace changes.
> > I wonder why they've banned ` but still allow $(...), though.
>
> The security updates for woody and sarge (DSA-957) use a backport of
> upstream's fix without further modifications, ie. this hole can still be
> exploited through $(...) expansion. The following test case works on
> woody and sarge with the latest imagemagick security updates installed:
>
> % ls
> test$(touch boo).fig
> % display 'test$(touch boo).fig'
> File "test.fig" does not exist
> display: Delegate failed `"fig2dev" -L ps "%i" "%o"'.
> % ls
> boo test$(touch boo).fig
Gnah. You are correct. I'm extending the list of forbidden characters
by $().
Thanks,
Joey
--
The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin
Please always Cc to me when replying to me on the lists.