On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote:
> With some user interaction, this is exploitable through Gnus and
> Thunderbird. I think this warrants increasing the severity to
> "grave".
Here's the vanilla fix from upstream SVN, stripped off whitespace changes.
I wonder why they've banned ` but still allow $(...), though.
Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 13:49:11 +0100
From: Daniel Kobras <email address hidden>
To: Florian Weimer <email address hidden>, <email address hidden>
Subject: Re: Bug#345238: Shell command injection in delegate code (via file names)
--7JfCtLOvnd9MIVvH Disposition: inline
Content-Type: text/plain; charset=us-ascii
Content-
tag 345238 + patch
thanks
On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote:
> With some user interaction, this is exploitable through Gnus and
> Thunderbird. I think this warrants increasing the severity to
> "grave".
Here's the vanilla fix from upstream SVN, stripped off whitespace changes.
I wonder why they've banned ` but still allow $(...), though.
Regards,
Daniel.
--7JfCtLOvnd9MIVvH Disposition: inline; filename= "CVE-2005- 4601.diff"
Content-Type: text/plain; charset=us-ascii
Content-
--- delegate.c.orig 2006-01-05 13:37:47.000000000 +0100 ImageInfo *image_info, ExceptionInfo *exception)
image_info- >temporary= MagickTrue; info->mode != 0) info->mode != 0) &&
(delegate_ info->encode != (char *) NULL)) || info->decode != (char *) NULL))) info->decode != (char *) NULL)))) image_info- >filename, ProhibitedAlpha bet) != (char *) NULL) || image-> filename, ProhibitedAlpha bet) != (char *) NULL)) ion(exception, FileOpenError, nsProhibitedCha racters" ,image- >filename) ; MagickFalse) ; ilename( image_info- >unique) == MagickFalse)
ThrowFile Exception( exception, FileOpenError, MagickFalse; image_info- >filename, ProhibitedAlpha bet) != (char *) NULL) || image-> filename, ProhibitedAlpha bet) != (char *) NULL)) ion(exception, FileOpenError, nsProhibitedCha racters" ,image- >filename) ; ilename( image_info- >unique) == MagickFalse)
ThrowFileExce ption(exception ,FileOpenError,
"UnableToCr eateTemporaryFi le",image_ info->unique) ; MagickFalse) ; ilename( image_info- >zero) == MagickFalse) eFileResource( image_info- >unique) ;
ThrowFileExce ption(exception ,FileOpenError,
"UnableToCr eateTemporaryFi le",image_ info->zero) ; MagickFalse) ; TranslateText( image_info, image,commands[ i]);
+++ delegate.c 2006-01-05 13:45:00.000000000 +0100
@@ -701,6 +701,8 @@
MagickExport MagickBooleanType InvokeDelegate(
Image *image,const char *decode,const char *encode,
{
+#define ProhibitedAlphabet "*?\"'<>|`"
+
char
*command,
**commands;
@@ -753,11 +755,11 @@
}
}
- if (delegate_
- if (((decode != (const char *) NULL) &&
+ if ((delegate_
+ (((decode != (const char *) NULL) &&
((encode != (const char *) NULL) &&
- (delegate_
+ (delegate_
{
char
*magick;
@@ -771,6 +773,13 @@
/*
Delegate requires a particular image format.
*/
+ if ((strpbrk(
+ (strpbrk(
+ {
+ ThrowFileExcept
+ "FilenameContai
+ return(
+ }
if (AcquireUniqueF
{
@@ -850,18 +859,25 @@
for (i=0; commands[i] != (char *) NULL; i++)
{
status=
+ if ((strpbrk(
+ (strpbrk(
+ {
+ ThrowFileExcept
+ "FilenameContai
+ break;
+ }
if (AcquireUniqueF
{
- return(
+ break;
}
if (AcquireUniqueF
{
(void) RelinquishUniqu
- return(
+ break;
}
command=
if (command == (char *) NULL)
--7JfCtLOvnd9MI VvH--