On Wed, Jan 04, 2006 at 01:54:29PM -0500, Matthias Clasen wrote:
> I don't doubt that there are more vulnerabilities lurking in
> ImageMagick, but I don't see how this same problem occurs in
> animate.c...
Which version are you looking at? The code in question recently moved
from magick/animate.c to wand/animate.c. Anyway, the underlying problem
is the same in all cases: A single numeric format expansion should be
allowed in user-supplied strings. In animate.c, look for a call to
FormatMagickString() following a comment "Form filename for multi-part
images.". The format string is taken verbatim from the command line.
Admittedly though, animate will rarely be called from scripts or as a
mime handler, so the security impact is quite low compared to, say,
convert.
On Wed, Jan 04, 2006 at 01:54:29PM -0500, Matthias Clasen wrote:
> I don't doubt that there are more vulnerabilities lurking in
> ImageMagick, but I don't see how this same problem occurs in
> animate.c...
Which version are you looking at? The code in question recently moved ing() following a comment "Form filename for multi-part
from magick/animate.c to wand/animate.c. Anyway, the underlying problem
is the same in all cases: A single numeric format expansion should be
allowed in user-supplied strings. In animate.c, look for a call to
FormatMagickStr
images.". The format string is taken verbatim from the command line.
Admittedly though, animate will rarely be called from scripts or as a
mime handler, so the security impact is quite low compared to, say,
convert.
Regards,
Daniel.