oss-sec mailing list archives
Re: ImageMagick Is On Fire -- CVE-2016-3714
From: Brandon Dees <brandon () rietta com>
Date: Wed, 04 May 2016 00:05:16 +0000
is it appropriate to ask if the same issues are present in GraphicsMagick as well? On Tue, May 3, 2016 at 6:52 PM Tim <tim-security () sentinelchicken org> wrote:
Or, replace the strings with arrays and use execve() instead of system().^^^ That. system() should be taken out into the street and shot. There's just no good reason for a respectable programmer to use it. Not saying that's the *only* thing they would need to do, but we need to encourage development platforms, in general, to stop offering up awful interfaces like this. Heck, Node.js offers a child_process.exec() call that isn't exec at all. It is (approximately) system(). Surely that won't lead to any problems... tim
Current thread:
- ImageMagick Is On Fire -- CVE-2016-3714 Ryan Huber (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Solar Designer (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Karim Valiev (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Tim (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Brandon Dees (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Karim Valiev (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Solar Designer (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Jeremy Stanley (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Kurt Seifried (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon McVittie (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 John Lightsey (May 19)