Date: Tue, 23 May 2017 09:10:46 +0200 From: Solar Designer <solar@...nwall.com> To: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us> Cc: oss-security@...ts.openwall.com Subject: Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder On Mon, May 22, 2017 at 05:58:31PM -0500, Bob Friesenhahn wrote: > On Mon, 22 May 2017, Thomas Deutschmann wrote: > >Bob, do you have any PoC you can share with ImageMagick project > >regarding CVE-2017-6335? > > > >Your fix was > >https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/ > > > >I asked ImageMagick project about that issue but they don't know without > >a PoC, see https://github.com/ImageMagick/ImageMagick/issues/391 > > I have attached the problematic TIFF file. I don't know if binary > attachments are accepted by this list. Small binary attachments (total message size of up to 200 KB including overhead) are accepted, but unfortunately image/tiff was on the mimeremove list, so your attachment didn't get through. I've just removed image/tiff from mimeremove. Please resend (if small enough). As to why have mimeremove at all: many people use MUAs or/and have signatures that always attach needless files (e.g., a text/html portion linking to a company logo, which is also included). But I guess use of image/tiff for those is very unusual, so there was no good reason to have this MIME type removed. The current mimeremove is: application/ms-tnef text/html text/x-vcard image/gif image/jpeg image/png Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ