Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Sep 2016 16:03:08 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us>
Cc: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

On Wed, Sep 28, 2016 at 3:15 PM, Bob Friesenhahn
<bfriesen@...ple.dallas.tx.us> wrote:
> On Wed, 28 Sep 2016, Tavis Ormandy wrote:
>>
>>
>> (/etc/passwd) /dumpname load 256 string filenameforall
>> $ convert test.gif png:test.png
>> <creates a file called test.png containing first line of /etc/passwd>
>>
>> Also seems to work with gm convert.
>
>
> It is good that you did not single out just one using program.
>
> This issue seems to afflict any program which invokes Ghostscript in general
> and not just *Magick.  However, 'convert' does offer to write a rendered
> result to an output file.
>

I think I see the problem, ghostscript broke -dSAFER then they fixed
it later but didn't allocate a CVE, so the distros never updated.

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ae930279498a5961fcf5d70ffe86864883609cbc

I think it should be fixed in gs 9.10 or later (Debian appears to be
on 9.06), but you can still enumerate filenames (just not the
content).

Tavis

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ