Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 19 May 2016 16:27:09 -0500
From: John Lightsey <jd@...nel.net>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

On 5/19/16 2:00 PM, Simon McVittie wrote:
> Bob, if you would like distributions to pick up GraphicsMagick security
> fixes in a timely way, it would probably be really useful to do an
> upstream release - distributions are typically a lot more confident about
> backporting large changes to their stable branches without regressions
> if they've been able to get some testing on the same changes in their
> unstable branches first.

I spent quite a bit of time looking at the ImageMagick, GraphicsMagick,
RedHat and Debian changes trying to piece together a proper list of
flaws to fix through backporting and policy file changes.

I also spent some time looking at the remaining delegates trying to
figure out which will have near-identical flaws to the issues that have
already been fixed.

This is the list I'm working off of. For RedHat and Debian, I only
checked the ImageMagick updates.

CVE-2016–3714 - RCE via shell characters in delegate invocation.
ImageMagick: Fixed
GraphicsMagick: Not vulnerable
RedHat: Fixed
Debian: Fixed

CVE-2016-3718 - SSRF via HTTP and FTP coders
ImageMagick: Not fixed
GraphicsMagick: Not fixed
RedHat: Fixed
Debian: Fixed

CVE-2016-3715 - File deletion via EPHEMERAL coder
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Fixed
Debian: Fixed

CVE-2016-3716 - File move via MSL coder
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Fixed
Debian: Fixed

CVE-2016-3717 - File read via LABEL coder
ImageMagick: Not fixed?
GraphicsMagick: Not fixed?
RedHat: Fixed
Debian: Fixed

No CVE assigned - Heap overflow in PICT parser
ImageMagick: Fixed
GraphicsMagick: ??
RedHat: Not fixed
Debian: Not fixed
Reference: http://www.openwall.com/lists/oss-security/2016/05/11/3

No CVE assigned - Out of bounds read in the PSD parser
ImageMagick: Fixed
GraphicsMagick: ??
RedHat: Not fixed
Debian: Not fixed
Reference: http://www.openwall.com/lists/oss-security/2016/05/11/3

No CVE assigned - RCE via gnuplot delegate
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Not fixed
Debian: Fixed
Reference: http://www.openwall.com/lists/oss-security/2016/05/09/1

No CVE assigned - File read via man delegate
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Not fixed
Debian: Not fixed
Reference:
https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/

The core problems brought up in CVE-2016-3718 and CVE-2016-3717 haven't
been fully addressed anywhere.

It's trivial to generate SSRF payloads for the formats processed through
html2ps and soffice. I'd also expect that SSRF is normal behavior for
uniconvertor, and RCE is normal behavior for blender and povray, but I
haven't verified.

If those are all counted separately...

No CVE assigned - SSRF via html2ps delegates
ImageMagick: Not fixed
GraphicsMagick: Not fixed
RedHat: Not fixed
Debian: Not fixed

No CVE assigned - SSRF via soffice delegates
ImageMagick: Not fixed
GraphicsMagick: Not vulnerable
RedHat: Not fixed
Debian: Not fixed

No CVE assigned - (assumed) SSRF via uniconvertor delegates
ImageMagick: Not fixed
GraphicsMagick: Not vulnerable
RedHat: Not fixed
Debian: Not fixed

No CVE assigned - (assumed) RCE via blender delegate
ImageMagick: Not fixed
GraphicsMagick: Not vulnerable
RedHat: Not fixed
Debian: Not fixed

No CVE assigned - (assumed) RCE via povray delegate
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Not fixed
Debian: Not fixed

Are there other formats that are unsafe and should be removed using the
policy configuration files?


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3691 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.