oss-sec mailing list archives
Re: ImageMagick Is On Fire -- CVE-2016-3714
From: John Lightsey <jd () cpanel net>
Date: Thu, 19 May 2016 16:27:09 -0500
On 5/19/16 2:00 PM, Simon McVittie wrote:
Bob, if you would like distributions to pick up GraphicsMagick security fixes in a timely way, it would probably be really useful to do an upstream release - distributions are typically a lot more confident about backporting large changes to their stable branches without regressions if they've been able to get some testing on the same changes in their unstable branches first.
I spent quite a bit of time looking at the ImageMagick, GraphicsMagick, RedHat and Debian changes trying to piece together a proper list of flaws to fix through backporting and policy file changes. I also spent some time looking at the remaining delegates trying to figure out which will have near-identical flaws to the issues that have already been fixed. This is the list I'm working off of. For RedHat and Debian, I only checked the ImageMagick updates. CVE-2016–3714 - RCE via shell characters in delegate invocation. ImageMagick: Fixed GraphicsMagick: Not vulnerable RedHat: Fixed Debian: Fixed CVE-2016-3718 - SSRF via HTTP and FTP coders ImageMagick: Not fixed GraphicsMagick: Not fixed RedHat: Fixed Debian: Fixed CVE-2016-3715 - File deletion via EPHEMERAL coder ImageMagick: Fixed GraphicsMagick: Fixed RedHat: Fixed Debian: Fixed CVE-2016-3716 - File move via MSL coder ImageMagick: Fixed GraphicsMagick: Fixed RedHat: Fixed Debian: Fixed CVE-2016-3717 - File read via LABEL coder ImageMagick: Not fixed? GraphicsMagick: Not fixed? RedHat: Fixed Debian: Fixed No CVE assigned - Heap overflow in PICT parser ImageMagick: Fixed GraphicsMagick: ?? RedHat: Not fixed Debian: Not fixed Reference: http://www.openwall.com/lists/oss-security/2016/05/11/3 No CVE assigned - Out of bounds read in the PSD parser ImageMagick: Fixed GraphicsMagick: ?? RedHat: Not fixed Debian: Not fixed Reference: http://www.openwall.com/lists/oss-security/2016/05/11/3 No CVE assigned - RCE via gnuplot delegate ImageMagick: Fixed GraphicsMagick: Fixed RedHat: Not fixed Debian: Fixed Reference: http://www.openwall.com/lists/oss-security/2016/05/09/1 No CVE assigned - File read via man delegate ImageMagick: Fixed GraphicsMagick: Fixed RedHat: Not fixed Debian: Not fixed Reference: https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/ The core problems brought up in CVE-2016-3718 and CVE-2016-3717 haven't been fully addressed anywhere. It's trivial to generate SSRF payloads for the formats processed through html2ps and soffice. I'd also expect that SSRF is normal behavior for uniconvertor, and RCE is normal behavior for blender and povray, but I haven't verified. If those are all counted separately... No CVE assigned - SSRF via html2ps delegates ImageMagick: Not fixed GraphicsMagick: Not fixed RedHat: Not fixed Debian: Not fixed No CVE assigned - SSRF via soffice delegates ImageMagick: Not fixed GraphicsMagick: Not vulnerable RedHat: Not fixed Debian: Not fixed No CVE assigned - (assumed) SSRF via uniconvertor delegates ImageMagick: Not fixed GraphicsMagick: Not vulnerable RedHat: Not fixed Debian: Not fixed No CVE assigned - (assumed) RCE via blender delegate ImageMagick: Not fixed GraphicsMagick: Not vulnerable RedHat: Not fixed Debian: Not fixed No CVE assigned - (assumed) RCE via povray delegate ImageMagick: Fixed GraphicsMagick: Fixed RedHat: Not fixed Debian: Not fixed Are there other formats that are unsafe and should be removed using the policy configuration files?
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: ImageMagick Is On Fire -- CVE-2016-3714, (continued)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Brandon Dees (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Jeremy Stanley (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Kurt Seifried (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon McVittie (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 John Lightsey (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 20)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon Lees (May 20)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Thomas Klausner (May 19)
- Re: ImageMagick Is On Fire -- CVE-2016-3714 Sven Kieske (May 20)