MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.
lists.fedoraproject.org/pipermail/package-announce/2014-February/127942.html
lists.fedoraproject.org/pipermail/package-announce/2014-February/127948.html
lists.wikimedia.org/pipermail/mediawiki-announce/2014-January/000140.html
osvdb.org/102630
secunia.com/advisories/56695
secunia.com/advisories/57472
www.checkpoint.com/defense/advisories/public/2014/cpai-26-jan.html
www.checkpoint.com/threatcloud-central/articles/2014-01-28-tc-researchers-discover.html
www.debian.org/security/2014/dsa-2891
www.exploit-db.com/exploits/31329/
www.osvdb.org/102631
www.securityfocus.com/bid/65223
www.securitytracker.com/id/1029707
bugzilla.wikimedia.org/attachment.cgi?id=14361&action=diff
bugzilla.wikimedia.org/attachment.cgi?id=14384&action=diff
bugzilla.wikimedia.org/show_bug.cgi?id=60339
gerrit.wikimedia.org/r/#/c/110069/
gerrit.wikimedia.org/r/#/c/110069/2/includes/media/Bitmap.php
gerrit.wikimedia.org/r/#/c/110215/