From the Debian bug at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824: <-- ImageMagick reads several configuration files[0] from the current working directory. Unfortunately, this allows local attackers to execute arbitrary code if ImageMagick is run from an untrusted directory. Steps to reproduce this bug: 1. As an attacker, put the attached files in /tmp. 2. As a victim, in /tmp run: $ convert /path/to/foo.png /path/to/bar.png All your base are belong to us. convert: missing an image filename `/path/to/bar.png'. <-- Looks to be fixed in 6.6.5-5 upstream. http://trac.imagemagick.org/browser/ImageMagick/trunk/ChangeLog
bumped in cvs. *imagemagick-6.6.5.6 (17 Nov 2010) 17 Nov 2010; Markus Meier <maekke@gentoo.org> +imagemagick-6.6.5.6.ebuild: version bump, security bug #345569
Thank you. Arches, please test and mark stable: =media-gfx/imagemagick-6.6.5.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Requires: >=media-libs/libfpx-1.3.0-r1 and it is not stable
*** Bug 345897 has been marked as a duplicate of this bug. ***
Stable for PPC.
amd64 done
x86 done. The tests are weird. Why do they only run on the second merge? src_test() { if has_version ~${CATEGORY}/${P}; then emake -j1 check || die else ewarn "Skipping tests because installed version doesn't match." fi }
Stable for HPPA.
alpha/arm/ia64/s390/sh/sparc stable
ppc64 done
Thanks, folks. GLSA Vote: no.
GLSA Vote: no -> Closing. Feel free to reopen if you disagree.
*** Bug 386381 has been marked as a duplicate of this bug. ***