Date: Sun, 29 May 2016 22:02:53 -0400 (EDT) From: cve-assign@...re.org To: bfriesen@...ple.dallas.tx.us Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > if the first character of the file specification is > a '|', then the remainder of the filename is passed to the shell for > execution using the POSIX popen(3C) function > > The simple solution to the problem is to disable the popen support > (HAVE_POPEN) in GraphicsMagick's magick/blob.c as is done by the > attached patch. Use CVE-2016-5118. > Previously supplied recommended patches for GraphicsMagick do > successfully block this attack vector in SVG and MVG. If there was a previous announcement of a vulnerability fix for a subset of the exploitation methodologies, then a separate CVE ID is also needed. The scope of CVE-2016-5118 is only the new "initial | character" information announced in the http://www.openwall.com/lists/oss-security/2016/05/29/7 post. (For example, if there had previously been any type of announcement that the xlink:href="| substring was being blocked in the native SVG readers, then that can have its own unique CVE ID.) - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXS57cAAoJEHb/MwWLVhi2MksP/j43+PGhpwdmLcAn0snPrMNM 1uVyeMvOasjPoIWqshe45UUIXUrBN9PdtlueJhsxEl6WtO/QUSRnVk+mVQShnOMq K4KRqEk/7k0D7txEkulMwLK8phA2bMUGNX/YbliMBJD0z7YOB2dR7H97TszpJ0p1 rAudJXHiW4IUyNgZm/jjohhyA70jUl5XhwuAGVLoudrJeGnsJZ5e5Vbp130sGkgD R8KUpmy4Bl2c04aWaevkSc4jKfL8qBUwxSZC6cHxo3au+7NnXCZ/fJhejV/p0phA vq99kKlT/IqXQ+ON4T6AdzGpn4a+EVhp9pn6pknNg9vHtBpvEQuX8jeJx9jMdtIc er9soxqmckeMEwoiJ9Hdm3SHYlH/orb9n3C+Woe18BLR3VjRMZA6PL9SBfVbkET0 Evtnui7BBUiYtVX62K2OTp+uTc2wfRKj7+paSAT5bGBfspD0p1heOfHeWJzJd28B UNbhfS5mhpDKHLDKDeaQQjCE/icPyfsZsvlcsnGeSg1Pta1AtBiZYauiae7jCscX BQTBoV7TTSbVfx1VP6jy9jGD30RW0Uj4c85wyDuRYmlOqzCE7/H/SGASjxGqQvLX GjDHzDF0xvEbTqMyw+8yn/3eCW8eZy/y50DMc2TLdYpWIHQfMsWMY8K3LOS/tcaF iOspq5Qmc+dxTuYQguTz =7jWy -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.