Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Sep 2016 05:17:01 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

* Tavis Ormandy:

> On Wed, Sep 28, 2016 at 3:15 PM, Bob Friesenhahn
> <bfriesen@...ple.dallas.tx.us> wrote:
>> On Wed, 28 Sep 2016, Tavis Ormandy wrote:
>>>
>>>
>>> (/etc/passwd) /dumpname load 256 string filenameforall
>>> $ convert test.gif png:test.png
>>> <creates a file called test.png containing first line of /etc/passwd>
>>>
>>> Also seems to work with gm convert.
>>
>>
>> It is good that you did not single out just one using program.
>>
>> This issue seems to afflict any program which invokes Ghostscript in general
>> and not just *Magick.  However, 'convert' does offer to write a rendered
>> result to an output file.
>>
>
> I think I see the problem, ghostscript broke -dSAFER then they fixed
> it later but didn't allocate a CVE, so the distros never updated.
>
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ae930279498a5961fcf5d70ffe86864883609cbc
>
> I think it should be fixed in gs 9.10 or later (Debian appears to be
> on 9.06), but you can still enumerate filenames (just not the
> content).

Is anyone investigating this and taking care of CVE assignment already?

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.