Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 May 2016 18:00:39 -0700
From: Seth Arnold <>
To: Brandon Dees <>
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

On Wed, May 04, 2016 at 12:05:16AM +0000, Brandon Dees wrote:
> is it appropriate to ask if the same issues are present in GraphicsMagick
> as well?

I haven't investigated deeply but it seems very plausible to me:
Here's the delegates.xml work-alike:

This appears to be executed via:
which tries to escape arguments using UnixShellTextEscape(). This function
appears to replace \`"$ chars with backslash-escaped versions. I'm not
sure this is a safe mechanism either.


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ