tags 297990 + patch thanks On Sat, Mar 19, 2005 at 05:15:20PM +0100, Helge Kreutzmann wrote: > Looking at > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0397 > it appears as if woody is impacted as well. And "possibly execute > arbitrary code" does not sound too nice either.
I've confirmed that woody is indeed impacted. Suggested patch attached. Regards, Daniel.
diff -u imagemagick-5.4.4.5/debian/changelog
imagemagick-5.4.4.5/debian/changelog
--- imagemagick-5.4.4.5/debian/changelog
+++ imagemagick-5.4.4.5/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (4:5.4.4.5-1woody6) stable-security; urgency=high
+
+ * Non-maintainer upload for the Security Team.
+ * magick/image.c: FormatString() was called with the file name as
+ format string, rather than through "%s". Fix backported from
+ unstable. Closes: #297990 (CAN-2005-0397)
+
+ -- Daniel Kobras <[EMAIL PROTECTED]> Sat, 19 Mar 2005 18:04:30 +0100
+
imagemagick (4:5.4.4.5-1woody5) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- imagemagick-5.4.4.5.orig/magick/image.c
+++ imagemagick-5.4.4.5/magick/image.c
@@ -6411,7 +6411,7 @@
/*
Rectify multi-image file support.
*/
- FormatString(filename,image_info->filename,0);
+ FormatString(filename,"%s",image_info->filename,0);
if ((LocaleCompare(filename,image_info->filename) != 0) &&
(strchr(filename,'%') == (char *) NULL))
image_info->adjoin=False;
signature.asc
Description: Digital signature
