From owner-cvs-all@FreeBSD.ORG  Tue Apr 29 12:34:11 2008
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8B4F91065673;
	Tue, 29 Apr 2008 12:34:11 +0000 (UTC)
	(envelope-from mi+kde@aldan.algebra.com)
Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224])
	by mx1.freebsd.org (Postfix) with ESMTP id 361FD8FC12;
	Tue, 29 Apr 2008 12:34:11 +0000 (UTC)
	(envelope-from mi+kde@aldan.algebra.com)
Received: from aldan.algebra.com (localhost [127.0.0.1])
	by aldan.algebra.com (8.14.2/8.14.1) with ESMTP id m3TCMTdj020535
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 29 Apr 2008 08:22:29 -0400 (EDT)
	(envelope-from mi+kde@aldan.algebra.com)
Received: from localhost (localhost [[UNIX: localhost]])
	by aldan.algebra.com (8.14.2/8.14.1/Submit) id m3TCMTf9020534;
	Tue, 29 Apr 2008 08:22:29 -0400 (EDT)
	(envelope-from mi+kde@aldan.algebra.com)
From: Mikhail Teterin <mi+kde@aldan.algebra.com>
To: Henrik Brix Andersen <brix@freebsd.org>
Date: Tue, 29 Apr 2008 08:22:28 -0400
User-Agent: KMail/1.9.9
References: <200804290052.m3T0q6bB088900@repoman.freebsd.org>
	<20080429055949.GA1517@tirith.brixandersen.dk>
In-Reply-To: <20080429055949.GA1517@tirith.brixandersen.dk>
X-Face: %UW#n0|w>ydeGt/b@1-.UFP=K^~-:0f#O:D7w<gv/&E-lL7twZCT8B~/PA4|\t$ti+22K">hJ5G_<5143Bb3kOIs9XpX+"V+~$adGP:J|SLieM31VIhqXeLBli"<kcG^EOVihy+z3/UR{6SCQ
MIME-Version: 1.0
Content-Type: text/plain;
  charset="koi8-u"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200804290822.29305@aldan>
Cc: cvs-ports@freebsd.org, Bob Friesenhahn <bfriesen@simple.dallas.tx.us>,
	cvs-all@freebsd.org, ports-committers@freebsd.org
Subject: Re: cvs commit: ports/graphics/GraphicsMagick Makefile distinfo
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2008 12:34:11 -0000

On =D7=A6=D7=D4=CF=D2=CF=CB 29 =CB=D7=A6=D4=C5=CE=D8 2008, Henrik Brix Ande=
rsen wrote:
=3D > =9A Update to 1.1.12, which (partially) fixes some potential security
=3D > =9A flaws...
=3D=20
=3D The flaws are only partially fixed? Or the update is only partially a
=3D security update?

My understanding -- from the author's description (CC-ed) -- is that the fl=
aws=20
are inherent and can not be /fully/ fixed. ImageMagick and GraphicsMagick=20
both look at the filename for the "special characters" and extensions. By=20
carefully crafting those, it may be possible to cause them to launch other=
=20
executables...

There should be more in the ChangeLog...

	-mi