Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3b0ab9e5-d160-c5fe-a554-a5ac61eede34@cpanel.net>
Date: Thu, 19 May 2016 16:27:09 -0500
From: John Lightsey <jd@...nel.net>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick Is On Fire -- CVE-2016-3714

On 5/19/16 2:00 PM, Simon McVittie wrote:
> Bob, if you would like distributions to pick up GraphicsMagick security
> fixes in a timely way, it would probably be really useful to do an
> upstream release - distributions are typically a lot more confident about
> backporting large changes to their stable branches without regressions
> if they've been able to get some testing on the same changes in their
> unstable branches first.

I spent quite a bit of time looking at the ImageMagick, GraphicsMagick,
RedHat and Debian changes trying to piece together a proper list of
flaws to fix through backporting and policy file changes.

I also spent some time looking at the remaining delegates trying to
figure out which will have near-identical flaws to the issues that have
already been fixed.

This is the list I'm working off of. For RedHat and Debian, I only
checked the ImageMagick updates.

CVE-2016–3714 - RCE via shell characters in delegate invocation.
ImageMagick: Fixed
GraphicsMagick: Not vulnerable
RedHat: Fixed
Debian: Fixed

CVE-2016-3718 - SSRF via HTTP and FTP coders
ImageMagick: Not fixed
GraphicsMagick: Not fixed
RedHat: Fixed
Debian: Fixed

CVE-2016-3715 - File deletion via EPHEMERAL coder
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Fixed
Debian: Fixed

CVE-2016-3716 - File move via MSL coder
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Fixed
Debian: Fixed

CVE-2016-3717 - File read via LABEL coder
ImageMagick: Not fixed?
GraphicsMagick: Not fixed?
RedHat: Fixed
Debian: Fixed

No CVE assigned - Heap overflow in PICT parser
ImageMagick: Fixed
GraphicsMagick: ??
RedHat: Not fixed
Debian: Not fixed
Reference: http://www.openwall.com/lists/oss-security/2016/05/11/3

No CVE assigned - Out of bounds read in the PSD parser
ImageMagick: Fixed
GraphicsMagick: ??
RedHat: Not fixed
Debian: Not fixed
Reference: http://www.openwall.com/lists/oss-security/2016/05/11/3

No CVE assigned - RCE via gnuplot delegate
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Not fixed
Debian: Fixed
Reference: http://www.openwall.com/lists/oss-security/2016/05/09/1

No CVE assigned - File read via man delegate
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Not fixed
Debian: Not fixed
Reference:
https://sourceforge.net/p/graphicsmagick/mailman/message/35072963/

The core problems brought up in CVE-2016-3718 and CVE-2016-3717 haven't
been fully addressed anywhere.

It's trivial to generate SSRF payloads for the formats processed through
html2ps and soffice. I'd also expect that SSRF is normal behavior for
uniconvertor, and RCE is normal behavior for blender and povray, but I
haven't verified.

If those are all counted separately...

No CVE assigned - SSRF via html2ps delegates
ImageMagick: Not fixed
GraphicsMagick: Not fixed
RedHat: Not fixed
Debian: Not fixed

No CVE assigned - SSRF via soffice delegates
ImageMagick: Not fixed
GraphicsMagick: Not vulnerable
RedHat: Not fixed
Debian: Not fixed

No CVE assigned - (assumed) SSRF via uniconvertor delegates
ImageMagick: Not fixed
GraphicsMagick: Not vulnerable
RedHat: Not fixed
Debian: Not fixed

No CVE assigned - (assumed) RCE via blender delegate
ImageMagick: Not fixed
GraphicsMagick: Not vulnerable
RedHat: Not fixed
Debian: Not fixed

No CVE assigned - (assumed) RCE via povray delegate
ImageMagick: Fixed
GraphicsMagick: Fixed
RedHat: Not fixed
Debian: Not fixed

Are there other formats that are unsafe and should be removed using the
policy configuration files?


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3691 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.