oss-sec mailing list archives
Re: GraphicsMagick Response To "ImageTragick"
From: John Lightsey <john () nixnuts net>
Date: Mon, 09 May 2016 14:03:25 -0500
On Mon, 2016-05-09 at 18:20 +0100, Simon McVittie wrote:
On Mon, 09 May 2016 at 08:29:40 -0500, Bob Friesenhahn wrote:1. CVE-2016-3714 - Insufficient shell characters filtering GraphicsMagick is not susceptible to remote code execution except if gnuplot is installed (because gnuplot executes shell commands). Gnuplot-shell based shell exploits are possible without a gnuplot file being involved although gnuplot invokes the shell. To fix this, the "gplt" entry in the delegates.mgk file must be removed.I think this should perhaps have a separate CVE ID assigned: it's the same impact (arbitrary code execution) and was discovered at around the same time, but the mechanism is not similar to the missing/insufficient quoting/escaping for ImageMagick's %M placeholder, which was the root cause of (the original incarnation of) CVE-2016-3714. In GraphicsMagick this was the "GPLT" format, removed in hg commit "Gnuplot files are inherently insecure. Remove delegates support for reading them." https://sourceforge.net/p/graphicsmagick/code/ci/45998a25992d1142df201d8cf024b 6c948b40748/ In ImageMagick this was the "PLT" format, removed in this git commit with the misleading commit message "Update to the latest autoconf/automake": https://github.com/ImageMagick/ImageMagick/commit/e87116ab2bd070c47943d4118a18 c8f3a47461e2 MITRE, do you consider this to be: * part of CVE-2016-3714, * a single separate vulnerability to which both GraphicsMagick and ImageMagick were vulnerable, or * two separate vulnerabilities, one in each package?
The "man" attack vector needs the same determination. It is similar to CVE-2016-3717 in impact, but uses a different codepath. The existing fixes for CVE-2016-3717 do not address it.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- GraphicsMagick Response To "ImageTragick" Bob Friesenhahn (May 08)
- <Possible follow-ups>
- GraphicsMagick Response To "ImageTragick" Bob Friesenhahn (May 09)
- Re: GraphicsMagick Response To "ImageTragick" Simon McVittie (May 09)
- Re: GraphicsMagick Response To "ImageTragick" Bob Friesenhahn (May 09)
- Re: GraphicsMagick Response To "ImageTragick" Simon McVittie (May 09)
- Re: GraphicsMagick Response To "ImageTragick" Bob Friesenhahn (May 09)
- Re: GraphicsMagick Response To "ImageTragick" Simon McVittie (May 09)
- Re: GraphicsMagick Response To "ImageTragick" John Lightsey (May 09)
- Re: GraphicsMagick Response To "ImageTragick" David Chan (May 12)