Date: Tue, 29 Apr 2008 09:18:45 -0500 (CDT) From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us> To: Mikhail Teterin <mi+kde@aldan.algebra.com> Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, Henrik Brix Andersen <brix@freebsd.org>, ports-committers@freebsd.org Subject: Re: cvs commit: ports/graphics/GraphicsMagick Makefile distinfo Message-ID: <Pine.SOC.4.64.0804290908040.953@freddy.simplesystems.org> In-Reply-To: <200804290822.29305@aldan> References: <200804290052.m3T0q6bB088900@repoman.freebsd.org> <20080429055949.GA1517@tirith.brixandersen.dk> <200804290822.29305@aldan>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-261424341-1209478548=:953 Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1; FORMAT=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: <Pine.SOC.4.64.0804290916261.953@freddy.simplesystems.org> On Tue, 29 Apr 2008, Mikhail Teterin wrote: > On ???????? 29 ??????? 2008, Henrik Brix Andersen wrote: > =3D > =A0 Update to 1.1.12, which (partially) fixes some potential securi= ty > =3D > =A0 flaws... > =3D > =3D The flaws are only partially fixed? Or the update is only partially a > =3D security update? > > My understanding -- from the author's description (CC-ed) -- is that the = flaws > are inherent and can not be /fully/ fixed. ImageMagick and GraphicsMagick > both look at the filename for the "special characters" and extensions. By > carefully crafting those, it may be possible to cause them to launch othe= r > executables... Yes, this is the case. The likely file format is derived from the=20 file name, which may be over-ridden by an explicit format specifier=20 prefix (e.g. "TIFF:foo") or a test of the header of the existing file. For the extension "X", the request is passed to some X11 support code=20 which either imports an image from the screen, or displays the image=20 to the screen. For extensions matching a "delegate" entry in the delegates.mgk XML=20 file, the matching delegate entry is executed (executing an external=20 program) with the whole filename as its input or output depending on=20 usage context. External program execution is believed to be secure in=20 GraphicsMagick but execution of those external programs may be very=20 much unwanted in a server context. This is the summary I wrote for the annoncement text: "GraphicsMagick 1.1.12 is now released. This release helps diminish=20 the risk of external delegate exploits, and X11 exploits, via=20 carefully-crafted file names. For example, prior to this release, an=20 X11 screen capture could be triggered, a web browser could be started,=20 a job could be sent to the printer, and The GIMP could be started, due=20 to requesting the read or write of ordinary-looking file names with=20 particular extensions. This issue is not new and in fact has existed=20 in ImageMagick since the '90s." Bob =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Bob Friesenhahn bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ ---559023410-261424341-1209478548=:953--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOC.4.64.0804290908040.953>