Re: ImageMagick Is On Fire -- CVE-2016-3714

[Seth Arnold <seth.arnold () canonical com>]

On Wed, May 04, 2016 at 01:38:49AM +0300, Karim Valiev wrote:
> The exploit was posted at Hacker News comments thread, so it's time to
> disclose the full story.

Thanks for this; here's the bulk of my reply to the distros@ list yesterday:

========

[...] I see attempts in the source code to apply
whitelists to allowed characters:

http://git.imagemagick.org/repos/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccf8888cddc93

"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_- "
".@&;<>()/\\\'\":%=~`";

followed several days later by:

http://git.imagemagick.org/repos/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181

"^-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
"+&@#/%?=~_|!:,.;()";

The ; and | entries make me think they haven't actually thought this
thing through in any real way yet. Shellshock showed that e.g. () may
look harmless enough without the $ but it is also dangerous. I think it's
probably a mistake to try to whitelist filter input in this fashion and
try to continue on in the case of failure. Error out in the case of
oddball inputs.

Another approach is to quote inputs following Florian Weimer's advice:
http://www.openwall.com/lists/oss-security/2014/02/04/7

        return "'" + s.replace("'"', r"'\''")  + "'"

(In Python, but the idea should translate well.)

Or, generate the filenames to contain only safe chars. (See mkstemp(3),
the function already exists.)

Or, replace the strings with arrays and use execve() instead of system().

Or, scrap the entire delegates.xml idea, it seems like a strange thing to
bolt on to the side of the image processing toolkit.

========

Thanks

Attachment: signature.asc
Description: