From owner-cvs-all@FreeBSD.ORG Tue Apr 29 14:42:54 2008 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45E1D106564A; Tue, 29 Apr 2008 14:42:54 +0000 (UTC) (envelope-from bfriesen@simple.dallas.tx.us) Received: from scooby.simplesystems.org (scooby.simplesystems.org [65.66.246.67]) by mx1.freebsd.org (Postfix) with ESMTP id C84968FC1E; Tue, 29 Apr 2008 14:42:53 +0000 (UTC) (envelope-from bfriesen@simple.dallas.tx.us) Received: from freddy.simplesystems.org (freddy.simplesystems.org [65.66.246.65]) by scooby.simplesystems.org (8.12.10+Sun/8.12.10) with ESMTP id m3TEIjCI010021; Tue, 29 Apr 2008 09:18:45 -0500 (CDT) Date: Tue, 29 Apr 2008 09:18:45 -0500 (CDT) From: Bob Friesenhahn X-X-Sender: bfriesen@freddy.simplesystems.org To: Mikhail Teterin In-Reply-To: <200804290822.29305@aldan> Message-ID: References: <200804290052.m3T0q6bB088900@repoman.freebsd.org> <20080429055949.GA1517@tirith.brixandersen.dk> <200804290822.29305@aldan> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-261424341-1209478548=:953" Content-ID: Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, Henrik Brix Andersen , ports-committers@freebsd.org Subject: Re: cvs commit: ports/graphics/GraphicsMagick Makefile distinfo X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2008 14:42:54 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---559023410-261424341-1209478548=:953 Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1; FORMAT=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: On Tue, 29 Apr 2008, Mikhail Teterin wrote: > On ???????? 29 ??????? 2008, Henrik Brix Andersen wrote: > =3D > =A0 Update to 1.1.12, which (partially) fixes some potential securi= ty > =3D > =A0 flaws... > =3D > =3D The flaws are only partially fixed? Or the update is only partially a > =3D security update? > > My understanding -- from the author's description (CC-ed) -- is that the = flaws > are inherent and can not be /fully/ fixed. ImageMagick and GraphicsMagick > both look at the filename for the "special characters" and extensions. By > carefully crafting those, it may be possible to cause them to launch othe= r > executables... Yes, this is the case. The likely file format is derived from the=20 file name, which may be over-ridden by an explicit format specifier=20 prefix (e.g. "TIFF:foo") or a test of the header of the existing file. For the extension "X", the request is passed to some X11 support code=20 which either imports an image from the screen, or displays the image=20 to the screen. For extensions matching a "delegate" entry in the delegates.mgk XML=20 file, the matching delegate entry is executed (executing an external=20 program) with the whole filename as its input or output depending on=20 usage context. External program execution is believed to be secure in=20 GraphicsMagick but execution of those external programs may be very=20 much unwanted in a server context. This is the summary I wrote for the annoncement text: "GraphicsMagick 1.1.12 is now released. This release helps diminish=20 the risk of external delegate exploits, and X11 exploits, via=20 carefully-crafted file names. For example, prior to this release, an=20 X11 screen capture could be triggered, a web browser could be started,=20 a job could be sent to the printer, and The GIMP could be started, due=20 to requesting the read or write of ordinary-looking file names with=20 particular extensions. This issue is not new and in fact has existed=20 in ImageMagick since the '90s." Bob =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Bob Friesenhahn bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ ---559023410-261424341-1209478548=:953--