Snipped from Debian bug. Full details and patch in URL. Specially crafted file names cause programs using ImageMagick to crash due to a format string vulnerability. It might be possible to execute arbitrary code due to this bug. I've discovered the vulnerability while investigating the upstream fix for #297990 (CAN-2005-0397). It turns out that this fix is buggy and doesn't plug the security hole. Originally, the format string vulnerability could be demonstrated with convert foo.jpg foo%n.jpg # (or several %n until overflow happens) Now all we need is one additional, valid, numeric format string, eg. convert foo.jpg foo%d%n.jpg # (or several %n until overflow happens) The new code just checks for the presence of any of %%, %d, %o, or %x. If one if them is found, it passes the rest of the string as a format string to an sprintf()-style function just like in the CAN-2005-0397 vulnerability. It all happens in SetImageInfo() that is usually called on the target filename in write operations, eg. the target filename of a 'convert'.
Karol please advise, patch as necessary and note what other packages might be affected.
*** This bug has been marked as a duplicate of 83542 ***
