Date: Wed, 04 May 2016 00:05:16 +0000 From: Brandon Dees <brandon@...tta.com> To: oss-security@...ts.openwall.com, Seth Arnold <seth.arnold@...onical.com> Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714 is it appropriate to ask if the same issues are present in GraphicsMagick as well? On Tue, May 3, 2016 at 6:52 PM Tim <tim-security@...tinelchicken.org> wrote: > > > Or, replace the strings with arrays and use execve() instead of system(). > > ^^^ > > That. > > system() should be taken out into the street and shot. There's just > no good reason for a respectable programmer to use it. > > Not saying that's the *only* thing they would need to do, but we need > to encourage development platforms, in general, to stop offering up > awful interfaces like this. Heck, Node.js offers a child_process.exec() > call that isn't exec at all. It is (approximately) system(). Surely > that won't lead to any problems... > > tim >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ