Daniel Kobras wrote: > found 345238 4:5.4.4.5-1woody7 > found 345238 6:6.0.6.2-2.5 > thanks > > On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote: > > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote: > > > With some user interaction, this is exploitable through Gnus and > > > Thunderbird. I think this warrants increasing the severity to > > > "grave". > > > > Here's the vanilla fix from upstream SVN, stripped off whitespace changes. > > I wonder why they've banned ` but still allow $(...), though. > > The security updates for woody and sarge (DSA-957) use a backport of > upstream's fix without further modifications, ie. this hole can still be > exploited through $(...) expansion. The following test case works on > woody and sarge with the latest imagemagick security updates installed: > > % ls > test$(touch boo).fig > % display 'test$(touch boo).fig' > File "test.fig" does not exist > display: Delegate failed `"fig2dev" -L ps "%i" "%o"'. > % ls > boo test$(touch boo).fig
Gnah. You are correct. I'm extending the list of forbidden characters by $(). Thanks, Joey -- The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]