Re: ImageMagick Is On Fire -- CVE-2016-3714

[Solar Designer <solar () openwall com>]

Thank you for bringing this in here, Ryan.

On Tue, May 03, 2016 at 10:59:12AM -0700, Ryan Huber wrote:
> What are "magic bytes"?
>
> The first few bytes of a file can often used to identify the type of
> file. Some examples are GIF images, which start with the hex bytes "47
> 49 46 38", and JPEG images, which start with "FF D8". This list on
> Wikipedia has the magic bytes for most common file types.

It may be preferable to refer to ImageMagick's own list of magics.
HD Moore tweeted the relevant links:

<hdmoore> Two reasons you probably shouldn't be using ImageMagick in your web applications: 
https://github.com/ImageMagick/ImageMagick/blob/8c9d68ca4241b6faafa7a35658a125c3500a5edf/MagickCore/magic.c#L89 & 
https://github.com/ImageMagick/ImageMagick/blob/e93e339c0a44cec16c08d78241f7aa3754485004/www/source/delegates.xml#L62
<hdmoore> ImageTragick: Upload(meme.png)->(IM detects non-png format based on file magic)->(IM uses insecure delegates 
to decode)->Shells!

> ImageMagick also disclosed this on their forum a few hours ago.

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Alexander