Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Sep 2016 05:17:01 +0200
From: Florian Weimer <>
Subject: Re: ImageMagick identify "d:" hangs

* Tavis Ormandy:

> On Wed, Sep 28, 2016 at 3:15 PM, Bob Friesenhahn
> <> wrote:
>> On Wed, 28 Sep 2016, Tavis Ormandy wrote:
>>> (/etc/passwd) /dumpname load 256 string filenameforall
>>> $ convert test.gif png:test.png
>>> <creates a file called test.png containing first line of /etc/passwd>
>>> Also seems to work with gm convert.
>> It is good that you did not single out just one using program.
>> This issue seems to afflict any program which invokes Ghostscript in general
>> and not just *Magick.  However, 'convert' does offer to write a rendered
>> result to an output file.
> I think I see the problem, ghostscript broke -dSAFER then they fixed
> it later but didn't allocate a CVE, so the distros never updated.
> I think it should be fixed in gs 9.10 or later (Debian appears to be
> on 9.06), but you can still enumerate filenames (just not the
> content).

Is anyone investigating this and taking care of CVE assignment already?

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ