Re: GraphicsMagick Response To "ImageTragick"

[John Lightsey <john () nixnuts net>]

On Mon, 2016-05-09 at 18:20 +0100, Simon McVittie wrote:
> On Mon, 09 May 2016 at 08:29:40 -0500, Bob Friesenhahn wrote:
> > 1. CVE-2016-3714 - Insufficient shell characters filtering
> >  
> >     GraphicsMagick is not susceptible to remote code execution except
> >     if gnuplot is installed (because gnuplot executes shell commands).
> >     Gnuplot-shell based shell exploits are possible without a gnuplot
> >     file being involved although gnuplot invokes the shell.  To fix
> >     this, the "gplt" entry in the delegates.mgk file must be removed.
>
> I think this should perhaps have a separate CVE ID assigned: it's the
> same impact (arbitrary code execution) and was discovered at around
> the same time, but the mechanism is not similar to the
> missing/insufficient quoting/escaping for ImageMagick's %M placeholder,
> which was the root cause of (the original incarnation of) CVE-2016-3714.
>
> In GraphicsMagick this was the "GPLT" format, removed in hg commit
> "Gnuplot files are inherently insecure. Remove delegates support for
> reading them."
> https://sourceforge.net/p/graphicsmagick/code/ci/45998a25992d1142df201d8cf024b
> 6c948b40748/
>
> In ImageMagick this was the "PLT" format, removed in this git commit with
> the misleading commit message "Update to the latest autoconf/automake":
> https://github.com/ImageMagick/ImageMagick/commit/e87116ab2bd070c47943d4118a18
> c8f3a47461e2
>
> MITRE, do you consider this to be:
>
> * part of CVE-2016-3714,
> * a single separate vulnerability to which both GraphicsMagick and ImageMagick
>   were vulnerable, or
> * two separate vulnerabilities, one in each package?


The "man" attack vector needs the same determination.

It is similar to CVE-2016-3717 in impact, but uses a different codepath. The
existing fixes for CVE-2016-3717 do not address it.

Attachment: signature.asc
Description: This is a digitally signed message part