Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160503181505.GA8195@openwall.com>
Date: Tue, 3 May 2016 21:15:05 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

Thank you for bringing this in here, Ryan.

On Tue, May 03, 2016 at 10:59:12AM -0700, Ryan Huber wrote:
> What are "magic bytes"?
> 
> The first few bytes of a file can often used to identify the type of
> file. Some examples are GIF images, which start with the hex bytes "47
> 49 46 38", and JPEG images, which start with "FF D8". This list on
> Wikipedia has the magic bytes for most common file types.

It may be preferable to refer to ImageMagick's own list of magics.
HD Moore tweeted the relevant links:

<hdmoore> Two reasons you probably shouldn't be using ImageMagick in your web applications: https://github.com/ImageMagick/ImageMagick/blob/8c9d68ca4241b6faafa7a35658a125c3500a5edf/MagickCore/magic.c#L89 & https://github.com/ImageMagick/ImageMagick/blob/e93e339c0a44cec16c08d78241f7aa3754485004/www/source/delegates.xml#L62
<hdmoore> ImageTragick: Upload(meme.png)->(IM detects non-png format based on file magic)->(IM uses insecure delegates to decode)->Shells!

> ImageMagick also disclosed this on their forum a few hours ago.

https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.