Another two vulnerabilities have been discovered in DokuWiki. Both are mostly harmful for users of ImageMagick's convert utility only, but should be quickly fixed by everyone.
The first one is a possible denial of service vulnerability caused by allowing images being resized unlimited. When libGD is used (default) the needed RAM is calculated before and the function aborts if not enough RAM for the PHP process is available (typically 8 to 32MB). However if ImageMagick ($conf['imconvert']) is used, no such limit exists, allowing an attacker to potentially consume a lot of system ressources.
More info and how to fix this is available at http://bugs.splitbrain.org/?do=details&id=924
While examining this problem I discovered another, more serious one. The input parameters for width and height are not sanitized properly, which can be used by an attacker to introduce arbitrary shell commands into the imagemagick commandline. I was not able exploit this with the default libGD option but all users should apply the fix as soon as possible anyway.
More info and how to fix this is available at http://bugs.splitbrain.org/?do=details&id=926
Both problems are fixed in the new hotfixed tarball available at http://www.splitbrain.org/go/dokuwiki