Date: Thu, 29 Sep 2016 05:17:01 +0200 From: Florian Weimer <fw@...eb.enyo.de> To: oss-security@...ts.openwall.com Subject: Re: ImageMagick identify "d:" hangs * Tavis Ormandy: > On Wed, Sep 28, 2016 at 3:15 PM, Bob Friesenhahn > <bfriesen@...ple.dallas.tx.us> wrote: >> On Wed, 28 Sep 2016, Tavis Ormandy wrote: >>> >>> >>> (/etc/passwd) /dumpname load 256 string filenameforall >>> $ convert test.gif png:test.png >>> <creates a file called test.png containing first line of /etc/passwd> >>> >>> Also seems to work with gm convert. >> >> >> It is good that you did not single out just one using program. >> >> This issue seems to afflict any program which invokes Ghostscript in general >> and not just *Magick. However, 'convert' does offer to write a rendered >> result to an output file. >> > > I think I see the problem, ghostscript broke -dSAFER then they fixed > it later but didn't allocate a CVE, so the distros never updated. > > http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ae930279498a5961fcf5d70ffe86864883609cbc > > I think it should be fixed in gs 9.10 or later (Debian appears to be > on 9.06), but you can still enumerate filenames (just not the > content). Is anyone investigating this and taking care of CVE assignment already?
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ