While examining
FS#924 I discovered a more serious problem in fetch.php
The input for width and height when resizing an image is not sanitized properly which allows an attacker to inject arbitrary strings. When imagemagick's convert is used these strign are reached through unfiltered to the shell.
This is only exploitable when $conf['imconvert'] is set - by default it is unset and PHP's libGD is used. All users are encouraged to fix this non-the-less.
UYou can either download the new tarball, or apply the changes your self.
To do so, change the two lines at the top of lib/exe/fetch.php from
$WIDTH = $_REQUEST['w'];
$HEIGHT = $_REQUEST['h'];
to
$WIDTH = (int) $_REQUEST['w'];
$HEIGHT = (int) $_REQUEST['h'];