oss-sec mailing list archives

Re: ImageMagick Is On Fire -- CVE-2016-3714

From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Fri, 20 May 2016 08:52:31 -0500 (CDT)

On Thu, 19 May 2016, John Lightsey wrote:


This is the list I'm working off of. For RedHat and Debian, I only
checked the ImageMagick updates.

CVE-2016-3718 - SSRF via HTTP and FTP coders
ImageMagick: Not fixed
GraphicsMagick: Not fixed
RedHat: Fixed
Debian: Fixed

The above topic is worthy of discussion. What is a security issue insome contexts is normal and necessary in others.

No CVE assigned - Heap overflow in PICT parser
ImageMagick: Fixed
GraphicsMagick: ??
RedHat: Not fixed
Debian: Not fixed
Reference: http://www.openwall.com/lists/oss-security/2016/05/11/3

The GraphicsMagick development code is not vulnerable to this one.GraphicsMagick may have been vulnerable in the past.

No CVE assigned - Out of bounds read in the PSD parser
ImageMagick: Fixed
GraphicsMagick: ??
RedHat: Not fixed
Debian: Not fixed
Reference: http://www.openwall.com/lists/oss-security/2016/05/11/3


The GraphicsMagick development code is not vulnerable to this one.
GraphicsMagick may have been vulnerable in the past.

Are there other formats that are unsafe and should be removed using the
policy configuration files?

In interest of full-disclosure, the GraphicsMagick project has fixedapproximately 45 CVE-worthy issues since the last release, notincluding issues covered by CVE-2016-2317 and CVE-2016-2318 (which arefixed in the development code). Many of the test files are publishedin full open view on bug trackers or other places.

In a similar time-frame, the ImageMagick project has been provided agreat many files (likely more than 100) which crash the software andmany of these files are published in full open view on bug trackers orother places. Commits and other records show that problems are beingfixed.

When fixed versions are released, OS distributions which continue toprovide 3-year old releases are exposing users to releases withperhaps hundreds of fixed vulnerabilities which can be triggered usingpublically available files.


Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Current thread:

Re: ImageMagick Is On Fire -- CVE-2016-3714, (continued)
- - - Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Seth Arnold (May 03)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Jeremy Stanley (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Kurt Seifried (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon McVittie (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 John Lightsey (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Bob Friesenhahn (May 20)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Simon Lees (May 20)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Thomas Klausner (May 19)
    - Re: ImageMagick Is On Fire -- CVE-2016-3714 Sven Kieske (May 20)