oss-sec mailing list archives
Re: ImageMagick Is On Fire -- CVE-2016-3714
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 3 May 2016 16:26:37 -0700
On Wed, May 04, 2016 at 01:38:49AM +0300, Karim Valiev wrote:
The exploit was posted at Hacker News comments thread, so it's time to disclose the full story.
Thanks for this; here's the bulk of my reply to the distros@ list yesterday: ======== [...] I see attempts in the source code to apply whitelists to allowed characters: http://git.imagemagick.org/repos/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccf8888cddc93 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_- " ".@&;<>()/\\\'\":%=~`"; followed several days later by: http://git.imagemagick.org/repos/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181 "^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" "+&@#/%?=~_|!:,.;()"; The ; and | entries make me think they haven't actually thought this thing through in any real way yet. Shellshock showed that e.g. () may look harmless enough without the $ but it is also dangerous. I think it's probably a mistake to try to whitelist filter input in this fashion and try to continue on in the case of failure. Error out in the case of oddball inputs. Another approach is to quote inputs following Florian Weimer's advice: http://www.openwall.com/lists/oss-security/2014/02/04/7 return "'" + s.replace("'"', r"'\''") + "'" (In Python, but the idea should translate well.) Or, generate the filenames to contain only safe chars. (See mkstemp(3), the function already exists.) Or, replace the strings with arrays and use execve() instead of system(). Or, scrap the entire delegates.xml idea, it seems like a strange thing to bolt on to the side of the image processing toolkit. ======== Thanks
Attachment:
signature.asc
Description:
Current thread:
- ImageMagick Is On Fire -- CVE-2016-3714 Ryan Huber (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Solar Designer (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Karim Valiev (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Tim (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Brandon Dees (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Karim Valiev (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Solar Designer (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Jeremy Stanley (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Kurt Seifried (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon McVittie (May 19)