Comment 15 for bug 27767

On Fri, Jan 27, 2006 at 10:32:51PM +0100, Martin Schulze wrote:
> Daniel Kobras wrote:
> > On Thu, Jan 05, 2006 at 01:49:11PM +0100, Daniel Kobras wrote:
> > > On Fri, Dec 30, 2005 at 02:19:27PM +0100, Florian Weimer wrote:
> > > > With some user interaction, this is exploitable through Gnus and
> > > > Thunderbird. I think this warrants increasing the severity to
> > > > "grave".
> > >
> > > Here's the vanilla fix from upstream SVN, stripped off whitespace changes.
> > > I wonder why they've banned ` but still allow $(...), though.
> >
> > The security updates for woody and sarge (DSA-957) use a backport of
> > upstream's fix without further modifications, ie. this hole can still be
> > exploited through $(...) expansion. The following test case works on
> > woody and sarge with the latest imagemagick security updates installed:
> >
> > % ls
> > test$(touch boo).fig
> > % display 'test$(touch boo).fig'
> > File "test.fig" does not exist
> > display: Delegate failed `"fig2dev" -L ps "%i" "%o"'.
> > % ls
> > boo test$(touch boo).fig
>
> Gnah. You are correct. I'm extending the list of forbidden characters
> by $().

Upstream has reverted the blacklist and instead went for an improved
version of the symlink fix I added to ImageMagick in unstable. The patch
is more involved, but also more robust and doesn't impose limits on
allowed filenames. If you're interested I can extract the changes from
upstream SVN.

Regards,

Daniel.