Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 04 May 2016 00:05:16 +0000
From: Brandon Dees <brandon@...tta.com>
To: oss-security@...ts.openwall.com, Seth Arnold <seth.arnold@...onical.com>
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

is it appropriate to ask if the same issues are present in GraphicsMagick
as well?

On Tue, May 3, 2016 at 6:52 PM Tim <tim-security@...tinelchicken.org> wrote:

>
> > Or, replace the strings with arrays and use execve() instead of system().
>
> ^^^
>
> That.
>
> system() should be taken out into the street and shot.  There's just
> no good reason for a respectable programmer to use it.
>
> Not saying that's the *only* thing they would need to do, but we need
> to encourage development platforms, in general, to stop offering up
> awful interfaces like this.  Heck, Node.js offers a child_process.exec()
> call that isn't exec at all.  It is (approximately) system().  Surely
> that won't lead to any problems...
>
> tim
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ