Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 23 May 2017 09:10:46 +0200
From: Solar Designer <solar@...nwall.com>
To: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder

On Mon, May 22, 2017 at 05:58:31PM -0500, Bob Friesenhahn wrote:
> On Mon, 22 May 2017, Thomas Deutschmann wrote:
> >Bob, do you have any PoC you can share with ImageMagick project
> >regarding CVE-2017-6335?
> >
> >Your fix was
> >https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/
> >
> >I asked ImageMagick project about that issue but they don't know without
> >a PoC, see https://github.com/ImageMagick/ImageMagick/issues/391
> 
> I have attached the problematic TIFF file.  I don't know if binary 
> attachments are accepted by this list.

Small binary attachments (total message size of up to 200 KB including
overhead) are accepted, but unfortunately image/tiff was on the
mimeremove list, so your attachment didn't get through.  I've just
removed image/tiff from mimeremove.  Please resend (if small enough).

As to why have mimeremove at all: many people use MUAs or/and have
signatures that always attach needless files (e.g., a text/html portion
linking to a company logo, which is also included).  But I guess use of
image/tiff for those is very unusual, so there was no good reason to
have this MIME type removed.

The current mimeremove is:

application/ms-tnef
text/html
text/x-vcard
image/gif
image/jpeg
image/png

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ