found 345238 4:5.4.4.5-1woody7 found 345238 6:6.0.6.2-2.5 thanks On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote: > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote: > > With some user interaction, this is exploitable through Gnus and > > Thunderbird. I think this warrants increasing the severity to > > "grave". > > Here's the vanilla fix from upstream SVN, stripped off whitespace changes. > I wonder why they've banned ` but still allow $(...), though.
The security updates for woody and sarge (DSA-957) use a backport of upstream's fix without further modifications, ie. this hole can still be exploited through $(...) expansion. The following test case works on woody and sarge with the latest imagemagick security updates installed: % ls test$(touch boo).fig % display 'test$(touch boo).fig' File "test.fig" does not exist display: Delegate failed `"fig2dev" -L ps "%i" "%o"'. % ls boo test$(touch boo).fig Regards, Daniel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]