Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Sep 2016 05:17:01 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

* Tavis Ormandy:

> On Wed, Sep 28, 2016 at 3:15 PM, Bob Friesenhahn
> <bfriesen@...ple.dallas.tx.us> wrote:
>> On Wed, 28 Sep 2016, Tavis Ormandy wrote:
>>>
>>>
>>> (/etc/passwd) /dumpname load 256 string filenameforall
>>> $ convert test.gif png:test.png
>>> <creates a file called test.png containing first line of /etc/passwd>
>>>
>>> Also seems to work with gm convert.
>>
>>
>> It is good that you did not single out just one using program.
>>
>> This issue seems to afflict any program which invokes Ghostscript in general
>> and not just *Magick.  However, 'convert' does offer to write a rendered
>> result to an output file.
>>
>
> I think I see the problem, ghostscript broke -dSAFER then they fixed
> it later but didn't allocate a CVE, so the distros never updated.
>
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ae930279498a5961fcf5d70ffe86864883609cbc
>
> I think it should be fixed in gs 9.10 or later (Debian appears to be
> on 9.06), but you can still enumerate filenames (just not the
> content).

Is anyone investigating this and taking care of CVE assignment already?

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ