Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 May 2016 21:15:05 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

Thank you for bringing this in here, Ryan.

On Tue, May 03, 2016 at 10:59:12AM -0700, Ryan Huber wrote:
> What are "magic bytes"?
> 
> The first few bytes of a file can often used to identify the type of
> file. Some examples are GIF images, which start with the hex bytes "47
> 49 46 38", and JPEG images, which start with "FF D8". This list on
> Wikipedia has the magic bytes for most common file types.

It may be preferable to refer to ImageMagick's own list of magics.
HD Moore tweeted the relevant links:

<hdmoore> Two reasons you probably shouldn't be using ImageMagick in your web applications: https://github.com/ImageMagick/ImageMagick/blob/8c9d68ca4241b6faafa7a35658a125c3500a5edf/MagickCore/magic.c#L89 & https://github.com/ImageMagick/ImageMagick/blob/e93e339c0a44cec16c08d78241f7aa3754485004/www/source/delegates.xml#L62
<hdmoore> ImageTragick: Upload(meme.png)->(IM detects non-png format based on file magic)->(IM uses insecure delegates to decode)->Shells!

> ImageMagick also disclosed this on their forum a few hours ago.

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ