[3.4] ImageMagick: Remote code execution via filename (CVE-2016-5118)
The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and
ImageMagick allows remote attackers to execute arbitrary
code via a | (pipe) character at the start of a filename.
Fix for ImageMagick needs to be investigated.
References:
http://www.openwall.com/lists/oss-security/2016/05/29/7
(from redmine: issue id 5749, created on 2016-06-19, closed on 2017-09-05)
- Relations:
- parent #5747 (closed)