Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 May 2016 16:26:37 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: Karim Valiev <valievkarim@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

On Wed, May 04, 2016 at 01:38:49AM +0300, Karim Valiev wrote:
> The exploit was posted at Hacker News comments thread, so it's time to
> disclose the full story.

Thanks for this; here's the bulk of my reply to the distros@ list yesterday:

========

[...] I see attempts in the source code to apply
whitelists to allowed characters:

http://git.imagemagick.org/repos/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccf8888cddc93

"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_- "
".@&;<>()/\\\'\":%=~`";

followed several days later by:

http://git.imagemagick.org/repos/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181

"^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
"+&@...?=~_|!:,.;()";

The ; and | entries make me think they haven't actually thought this
thing through in any real way yet. Shellshock showed that e.g. () may
look harmless enough without the $ but it is also dangerous. I think it's
probably a mistake to try to whitelist filter input in this fashion and
try to continue on in the case of failure. Error out in the case of
oddball inputs.

Another approach is to quote inputs following Florian Weimer's advice:
http://www.openwall.com/lists/oss-security/2014/02/04/7

        return "'" + s.replace("'"', r"'\''")  + "'"

(In Python, but the idea should translate well.)

Or, generate the filenames to contain only safe chars. (See mkstemp(3),
the function already exists.)

Or, replace the strings with arrays and use execve() instead of system().

Or, scrap the entire delegates.xml idea, it seems like a strange thing to
bolt on to the side of the image processing toolkit.

========

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.