Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 May 2016 21:15:05 +0300
From: Solar Designer <>
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

Thank you for bringing this in here, Ryan.

On Tue, May 03, 2016 at 10:59:12AM -0700, Ryan Huber wrote:
> What are "magic bytes"?
> The first few bytes of a file can often used to identify the type of
> file. Some examples are GIF images, which start with the hex bytes "47
> 49 46 38", and JPEG images, which start with "FF D8". This list on
> Wikipedia has the magic bytes for most common file types.

It may be preferable to refer to ImageMagick's own list of magics.
HD Moore tweeted the relevant links:

<hdmoore> Two reasons you probably shouldn't be using ImageMagick in your web applications: &
<hdmoore> ImageTragick: Upload(meme.png)->(IM detects non-png format based on file magic)->(IM uses insecure delegates to decode)->Shells!

> ImageMagick also disclosed this on their forum a few hours ago.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ