Re: ImageMagick Is On Fire -- CVE-2016-3714

[Seth Arnold <seth.arnold () canonical com>]

On Tue, May 03, 2016 at 08:42:30PM -0500, Bob Friesenhahn wrote:
> > This appears to be executed via:
> > https://sourceforge.net/p/graphicsmagick/code/ci/default/tree/magick/delegate.c
> > which tries to escape arguments using UnixShellTextEscape(). This function
> > appears to replace \`"$ chars with backslash-escaped versions. I'm not
> > sure this is a safe mechanism either.
>
> Please provide me with a working exploit.

Sorry, exploits aren't my strong suite.

Shells are crazy things though -- | & || && and ; make it easy to execute
additional commands. * ? {} and [] make it easy to turn "single" arguments
into many arguments or get forbidden characters from the filesystem into
the command line anyway. - can change behaviours of called programs. etc etc.

> Be aware that this quoting method is only used for the few delegates.mgk
> rules which require shell-like syntax to work. Otherwise the external
> program is run using execvp() without a shell.

Now this I love to hear. execve() makes me happy.

Thanks

Attachment: signature.asc
Description: