On Fri, Jan 27, 2006 at 10:32:51PM +0100, Martin Schulze wrote: > Daniel Kobras wrote: > > On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote: > > > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote: > > > > With some user interaction, this is exploitable through Gnus and > > > > Thunderbird. I think this warrants increasing the severity to > > > > "grave". > > > > > > Here's the vanilla fix from upstream SVN, stripped off whitespace > > > changes. > > > I wonder why they've banned ` but still allow $(...), though. > > > > The security updates for woody and sarge (DSA-957) use a backport of > > upstream's fix without further modifications, ie. this hole can still be > > exploited through $(...) expansion. The following test case works on > > woody and sarge with the latest imagemagick security updates installed: > > > > % ls > > test$(touch boo).fig > > % display 'test$(touch boo).fig' > > File "test.fig" does not exist > > display: Delegate failed `"fig2dev" -L ps "%i" "%o"'. > > % ls > > boo test$(touch boo).fig > > Gnah. You are correct. I'm extending the list of forbidden characters > by $().
Upstream has reverted the blacklist and instead went for an improved version of the symlink fix I added to ImageMagick in unstable. The patch is more involved, but also more robust and doesn't impose limits on allowed filenames. If you're interested I can extract the changes from upstream SVN. Regards, Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]