Date: Tue, 29 Apr 2008 09:18:45 -0500 (CDT) From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us> To: Mikhail Teterin <mi+kde@aldan.algebra.com> Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, Henrik Brix Andersen <brix@freebsd.org>, ports-committers@freebsd.org Subject: Re: cvs commit: ports/graphics/GraphicsMagick Makefile distinfo Message-ID: <Pine.SOC.4.64.0804290908040.953@freddy.simplesystems.org> In-Reply-To: <200804290822.29305@aldan> References: <200804290052.m3T0q6bB088900@repoman.freebsd.org> <20080429055949.GA1517@tirith.brixandersen.dk> <200804290822.29305@aldan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 29 Apr 2008, Mikhail Teterin wrote: > On ???????? 29 ??????? 2008, Henrik Brix Andersen wrote: > = > Update to 1.1.12, which (partially) fixes some potential security > = > flaws... > = > = The flaws are only partially fixed? Or the update is only partially a > = security update? > > My understanding -- from the author's description (CC-ed) -- is that the flaws > are inherent and can not be /fully/ fixed. ImageMagick and GraphicsMagick > both look at the filename for the "special characters" and extensions. By > carefully crafting those, it may be possible to cause them to launch other > executables... Yes, this is the case. The likely file format is derived from the file name, which may be over-ridden by an explicit format specifier prefix (e.g. "TIFF:foo") or a test of the header of the existing file. For the extension "X", the request is passed to some X11 support code which either imports an image from the screen, or displays the image to the screen. For extensions matching a "delegate" entry in the delegates.mgk XML file, the matching delegate entry is executed (executing an external program) with the whole filename as its input or output depending on usage context. External program execution is believed to be secure in GraphicsMagick but execution of those external programs may be very much unwanted in a server context. This is the summary I wrote for the annoncement text: "GraphicsMagick 1.1.12 is now released. This release helps diminish the risk of external delegate exploits, and X11 exploits, via carefully-crafted file names. For example, prior to this release, an X11 screen capture could be triggered, a web browser could be started, a job could be sent to the printer, and The GIMP could be started, due to requesting the read or write of ordinary-looking file names with particular extensions. This issue is not new and in fact has existed in ImageMagick since the '90s." Bob ====================================== Bob Friesenhahn bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOC.4.64.0804290908040.953>