Date: Tue, 3 May 2016 16:26:37 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: Karim Valiev <valievkarim@...il.com> Cc: oss-security@...ts.openwall.com Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714 On Wed, May 04, 2016 at 01:38:49AM +0300, Karim Valiev wrote: > The exploit was posted at Hacker News comments thread, so it's time to > disclose the full story. Thanks for this; here's the bulk of my reply to the distros@ list yesterday: ======== [...] I see attempts in the source code to apply whitelists to allowed characters: http://git.imagemagick.org/repos/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccf8888cddc93 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_- " ".@&;<>()/\\\'\":%=~`"; followed several days later by: http://git.imagemagick.org/repos/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181 "^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" "+&@...?=~_|!:,.;()"; The ; and | entries make me think they haven't actually thought this thing through in any real way yet. Shellshock showed that e.g. () may look harmless enough without the $ but it is also dangerous. I think it's probably a mistake to try to whitelist filter input in this fashion and try to continue on in the case of failure. Error out in the case of oddball inputs. Another approach is to quote inputs following Florian Weimer's advice: http://www.openwall.com/lists/oss-security/2014/02/04/7 return "'" + s.replace("'"', r"'\''") + "'" (In Python, but the idea should translate well.) Or, generate the filenames to contain only safe chars. (See mkstemp(3), the function already exists.) Or, replace the strings with arrays and use execve() instead of system(). Or, scrap the entire delegates.xml idea, it seems like a strange thing to bolt on to the side of the image processing toolkit. ======== Thanks Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ