Date: Tue, 29 Apr 2008 08:22:28 -0400 From: Mikhail Teterin <mi+kde@aldan.algebra.com> To: Henrik Brix Andersen <brix@freebsd.org> Cc: cvs-ports@freebsd.org, Bob Friesenhahn <bfriesen@simple.dallas.tx.us>, cvs-all@freebsd.org, ports-committers@freebsd.org Subject: Re: cvs commit: ports/graphics/GraphicsMagick Makefile distinfo Message-ID: <200804290822.29305@aldan> In-Reply-To: <20080429055949.GA1517@tirith.brixandersen.dk> References: <200804290052.m3T0q6bB088900@repoman.freebsd.org> <20080429055949.GA1517@tirith.brixandersen.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On =D7=A6=D7=D4=CF=D2=CF=CB 29 =CB=D7=A6=D4=C5=CE=D8 2008, Henrik Brix Ande= rsen wrote: =3D > =9A Update to 1.1.12, which (partially) fixes some potential security =3D > =9A flaws... =3D=20 =3D The flaws are only partially fixed? Or the update is only partially a =3D security update? My understanding -- from the author's description (CC-ed) -- is that the fl= aws=20 are inherent and can not be /fully/ fixed. ImageMagick and GraphicsMagick=20 both look at the filename for the "special characters" and extensions. By=20 carefully crafting those, it may be possible to cause them to launch other= =20 executables... There should be more in the ChangeLog... -mi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804290822.29305>