Comment 10 for bug 27952

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 13:37:02 +0100
From: Daniel Kobras <email address hidden>
To: Matthias Clasen <email address hidden>, <email address hidden>
Subject: Re: Bug#345876: animate.c

On Wed, Jan 04, 2006 at 01:54:29PM -0500, Matthias Clasen wrote:
> I don't doubt that there are more vulnerabilities lurking in
> ImageMagick, but I don't see how this same problem occurs in
> animate.c...

Which version are you looking at? The code in question recently moved
from magick/animate.c to wand/animate.c. Anyway, the underlying problem
is the same in all cases: A single numeric format expansion should be
allowed in user-supplied strings. In animate.c, look for a call to
FormatMagickString() following a comment "Form filename for multi-part
images.". The format string is taken verbatim from the command line.
Admittedly though, animate will rarely be called from scripts or as a
mime handler, so the security impact is quite low compared to, say,
convert.

Regards,

Daniel.