oss-sec mailing list archives

Re: ImageMagick Is On Fire -- CVE-2016-3714

From: Brandon Dees <brandon () rietta com>
Date: Wed, 04 May 2016 00:05:16 +0000

is it appropriate to ask if the same issues are present in GraphicsMagick
as well?

On Tue, May 3, 2016 at 6:52 PM Tim <tim-security () sentinelchicken org> wrote:

Or, replace the strings with arrays and use execve() instead of system().


^^^

That.

system() should be taken out into the street and shot.  There's just
no good reason for a respectable programmer to use it.

Not saying that's the *only* thing they would need to do, but we need
to encourage development platforms, in general, to stop offering up
awful interfaces like this.  Heck, Node.js offers a child_process.exec()
call that isn't exec at all.  It is (approximately) system().  Surely
that won't lead to any problems...

tim

Current thread:

ImageMagick Is On Fire -- CVE-2016-3714 Ryan Huber (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Solar Designer (May 03)
  - Re: ImageMagick Is On Fire -- CVE-2016-3714 Karim Valiev (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Tim (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Brandon Dees (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Jeremy Stanley (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Kurt Seifried (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon McVittie (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 John Lightsey (May 19)

(Thread continues...)