Date: Sun, 29 May 2016 22:02:53 -0400 (EDT) From: cve-assign@...re.org To: bfriesen@...ple.dallas.tx.us Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > if the first character of the file specification is > a '|', then the remainder of the filename is passed to the shell for > execution using the POSIX popen(3C) function > > The simple solution to the problem is to disable the popen support > (HAVE_POPEN) in GraphicsMagick's magick/blob.c as is done by the > attached patch. Use CVE-2016-5118. > Previously supplied recommended patches for GraphicsMagick do > successfully block this attack vector in SVG and MVG. If there was a previous announcement of a vulnerability fix for a subset of the exploitation methodologies, then a separate CVE ID is also needed. The scope of CVE-2016-5118 is only the new "initial | character" information announced in the http://www.openwall.com/lists/oss-security/2016/05/29/7 post. (For example, if there had previously been any type of announcement that the xlink:href="| substring was being blocked in the native SVG readers, then that can have its own unique CVE ID.) - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXS57cAAoJEHb/MwWLVhi2MksP/j43+PGhpwdmLcAn0snPrMNM 1uVyeMvOasjPoIWqshe45UUIXUrBN9PdtlueJhsxEl6WtO/QUSRnVk+mVQShnOMq K4KRqEk/7k0D7txEkulMwLK8phA2bMUGNX/YbliMBJD0z7YOB2dR7H97TszpJ0p1 rAudJXHiW4IUyNgZm/jjohhyA70jUl5XhwuAGVLoudrJeGnsJZ5e5Vbp130sGkgD R8KUpmy4Bl2c04aWaevkSc4jKfL8qBUwxSZC6cHxo3au+7NnXCZ/fJhejV/p0phA vq99kKlT/IqXQ+ON4T6AdzGpn4a+EVhp9pn6pknNg9vHtBpvEQuX8jeJx9jMdtIc er9soxqmckeMEwoiJ9Hdm3SHYlH/orb9n3C+Woe18BLR3VjRMZA6PL9SBfVbkET0 Evtnui7BBUiYtVX62K2OTp+uTc2wfRKj7+paSAT5bGBfspD0p1heOfHeWJzJd28B UNbhfS5mhpDKHLDKDeaQQjCE/icPyfsZsvlcsnGeSg1Pta1AtBiZYauiae7jCscX BQTBoV7TTSbVfx1VP6jy9jGD30RW0Uj4c85wyDuRYmlOqzCE7/H/SGASjxGqQvLX GjDHzDF0xvEbTqMyw+8yn/3eCW8eZy/y50DMc2TLdYpWIHQfMsWMY8K3LOS/tcaF iOspq5Qmc+dxTuYQguTz =7jWy -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ