Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 09 May 2016 14:03:25 -0500
From: John Lightsey <john@...nuts.net>
To: oss-security@...ts.openwall.com
Subject: Re: GraphicsMagick Response To "ImageTragick"

On Mon, 2016-05-09 at 18:20 +0100, Simon McVittie wrote:
> On Mon, 09 May 2016 at 08:29:40 -0500, Bob Friesenhahn wrote:
> > 1. CVE-2016-3714 - Insufficient shell characters filtering
> > 
> >    GraphicsMagick is not susceptible to remote code execution except
> >    if gnuplot is installed (because gnuplot executes shell commands).
> >    Gnuplot-shell based shell exploits are possible without a gnuplot
> >    file being involved although gnuplot invokes the shell.  To fix
> >    this, the "gplt" entry in the delegates.mgk file must be removed.
> 
> I think this should perhaps have a separate CVE ID assigned: it's the
> same impact (arbitrary code execution) and was discovered at around
> the same time, but the mechanism is not similar to the
> missing/insufficient quoting/escaping for ImageMagick's %M placeholder,
> which was the root cause of (the original incarnation of) CVE-2016-3714.
> 
> In GraphicsMagick this was the "GPLT" format, removed in hg commit
> "Gnuplot files are inherently insecure. Remove delegates support for
> reading them."
> https://sourceforge.net/p/graphicsmagick/code/ci/45998a25992d1142df201d8cf024b
> 6c948b40748/
> 
> In ImageMagick this was the "PLT" format, removed in this git commit with
> the misleading commit message "Update to the latest autoconf/automake":
> https://github.com/ImageMagick/ImageMagick/commit/e87116ab2bd070c47943d4118a18
> c8f3a47461e2
> 
> MITRE, do you consider this to be:
> 
> * part of CVE-2016-3714,
> * a single separate vulnerability to which both GraphicsMagick and ImageMagick
>   were vulnerable, or
> * two separate vulnerabilities, one in each package?
> 


The "man" attack vector needs the same determination.

It is similar to CVE-2016-3717 in impact, but uses a different codepath. The
existing fixes for CVE-2016-3717 do not address it.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.