there's a problem handling filenames in imagemagick, this could potentially cause problems in webapps that use the utilities (mediawiki, gallery, etc).
I reported the problem (in SetImageInfo()) upstream who say a fix will be present in 6.2.0-3.
convert /dev/null %n
convert /dev/null "%.03%hn%hn:%x%x%"
Steps to Reproduce:
Created attachment 52363 [details, diff]
filename handling format string patch
oneliner patch for image magick filename handling issue.
Graphics team, please bump to 6.2.0-3 or apply provided patch to current.
This will be CAN-2005-0397
Imagemagick and perlmagick bumped to 18.104.22.168.
***Please, update keywords of dev-perl/perlmagick to match imagemagick***
sekretarz I presume you mean 22.214.171.124:-)
Arches please test and mark imagemagick and perlmagick stable.
yeah, sorry, bumped to 126.96.36.199, of course ;)
stable on amd64
stable on ppc64
Stable on ppc.
hppa, ia64, mips: please mark stable to benefit from GLSA
Stable on mips.
Already stable on hppa
Debian says the patch is not sufficient.
Tavis, your opinion ?
Created attachment 76159 [details, diff]
New proposed patch, from Debian
graphics, please repatch ?
*** Bug 117843 has been marked as a duplicate of this bug. ***
New one is CVE-2006-0082
Anyone in graphics herd ?
I checked imagemagick-188.8.131.52 code and i think that they fixed this flow. They didn't apply patch from debian but current code doesn't expand % chars. I advise to push imagemagick-184.108.40.206 stable.
Calling arches _very_ late.
Stable on hppa
stable on alpha
ready for glsa
arm and mips should mark stable to benefit from GLSA
220.127.116.11 stable on mips (took us long enough I guess....)