Comment 3 for bug 27767

Message-ID: <email address hidden>
Date: Thu, 29 Dec 2005 22:15:19 +0100
From: Florian Weimer <email address hidden>
To: <email address hidden>
Subject: Shell command injection in delegate code (via file names)

Package: imagemagick
Version: 6.2.4.5-0.3
Tags: security

The delegate code in Imagemagick is vulnerable to shell command
injection, using specially crafted file names:

$ cp /usr/lib/openoffice/share/template/en-US/wizard/bitmap/germany.wmf \
  '" ; echo "Hi!" >&2; : "'.gif
$ display '" ; echo "Hi!" >&2; : "'.gif

It should work with other file formats besides WMF (those for which
delegates are defined).

I'm leaving the severity at normal, because it doesn't seem to be
*that* important. Perhaps this is exploitable through MIME-enabled
MUAs, which would warrant a higher severity.