Date: Tue, 3 May 2016 21:15:05 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714 Thank you for bringing this in here, Ryan. On Tue, May 03, 2016 at 10:59:12AM -0700, Ryan Huber wrote: > What are "magic bytes"? > > The first few bytes of a file can often used to identify the type of > file. Some examples are GIF images, which start with the hex bytes "47 > 49 46 38", and JPEG images, which start with "FF D8". This list on > Wikipedia has the magic bytes for most common file types. It may be preferable to refer to ImageMagick's own list of magics. HD Moore tweeted the relevant links: <hdmoore> Two reasons you probably shouldn't be using ImageMagick in your web applications: https://github.com/ImageMagick/ImageMagick/blob/8c9d68ca4241b6faafa7a35658a125c3500a5edf/MagickCore/magic.c#L89 & https://github.com/ImageMagick/ImageMagick/blob/e93e339c0a44cec16c08d78241f7aa3754485004/www/source/delegates.xml#L62 <hdmoore> ImageTragick: Upload(meme.png)->(IM detects non-png format based on file magic)->(IM uses insecure delegates to decode)->Shells! > ImageMagick also disclosed this on their forum a few hours ago. https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588 Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ