[3.3] ImageMagick: Remote code execution via filename (CVE-2016-5118)
The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and
ImageMagick allows remote attackers to execute arbitrary
code via a | (pipe) character at the start of a filename.
Fix for ImageMagick needs to be investigated.
References:
http://www.openwall.com/lists/oss-security/2016/05/29/7
(from redmine: issue id 5750, created on 2016-06-19, closed on 2017-09-05)
- Relations:
- parent #5747 (closed)
- Changesets:
- Revision f3be8e3c by Sergei Lukin on 2016-12-26T14:47:53Z:
main/imagemagick: security upgrade to 6.9.6.8 - fixes #5750, #6103, #6326
CVE-2016-5118
CVE-2016-7799, CVE-2016-7906
CVE-2016-4562, CVE-2016-4563, CVE-2016-4564, CVE-2016-5010, CVE-2016-5687,
CVE-2016-5688, CVE-2016-5689, CVE-2016-5690, CVE-2016-5691, CVE-2016-5841,
CVE-2016-5842, CVE-2016-6491