Hello guys, I found this by chance browsing zgv's homepage. It says, very clearly, "WARNING: There is a known vulnerability in zgv 5.8 (and all previous versions) such that suitably-constructed images can be made to run arbitrary commands when viewed with zgv - not as root, but as the user running zgv. This still has the potential to cause serious trouble, so I strongly recommend that existing users upgrade to the current version." At first glance, it looks related to http://www.gentoo.org/security/en/glsa/glsa-200411-12.xml I am working on a version bump.
I may have panicked too soon: it seems Gentoo's 5.8 version has its own fix. Most of Gentoo's 5.8 patch was integrated upstream in 5.9. I only wonder if 5.9 fixes possible vulnerabilities that Gentoo's patch did not cover.
Setting to Auditing
Our 5.8 fixes the heap issues as does 5.9; but 5.9 includes a few bugfixes and hang fix or two so I'd just update but not GLSA it as it is not a security risk. Thanks for reporting anyway.
