oss-sec mailing list archives
Re: ImageMagick identify "d:" hangs
From: Florian Weimer <fw () deneb enyo de>
Date: Thu, 29 Sep 2016 05:17:01 +0200
* Tavis Ormandy:
On Wed, Sep 28, 2016 at 3:15 PM, Bob Friesenhahn <bfriesen () simple dallas tx us> wrote:On Wed, 28 Sep 2016, Tavis Ormandy wrote:(/etc/passwd) /dumpname load 256 string filenameforall $ convert test.gif png:test.png <creates a file called test.png containing first line of /etc/passwd> Also seems to work with gm convert.It is good that you did not single out just one using program. This issue seems to afflict any program which invokes Ghostscript in general and not just *Magick. However, 'convert' does offer to write a rendered result to an output file.I think I see the problem, ghostscript broke -dSAFER then they fixed it later but didn't allocate a CVE, so the distros never updated. http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ae930279498a5961fcf5d70ffe86864883609cbc I think it should be fixed in gs 9.10 or later (Debian appears to be on 9.06), but you can still enumerate filenames (just not the content).
Is anyone investigating this and taking care of CVE assignment already?
Current thread:
- ImageMagick identify "d:" hangs Bob Friesenhahn (Sep 27)
- Re: ImageMagick identify "d:" hangs Jakub Wilk (Sep 27)
- Re: ImageMagick identify "d:" hangs Bob Friesenhahn (Sep 27)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 28)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 28)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 28)
- Re: ImageMagick identify "d:" hangs Bob Friesenhahn (Sep 28)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 28)
- Re: ImageMagick identify "d:" hangs Florian Weimer (Sep 28)
- Re: ImageMagick identify "d:" hangs Bob Friesenhahn (Sep 27)
- Re: ImageMagick identify "d:" hangs Jakub Wilk (Sep 27)
- Re: ImageMagick identify "d:" hangs Florian Weimer (Sep 28)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 29)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 29)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 30)
- Re: ImageMagick identify "d:" hangs Florian Weimer (Sep 30)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 30)