cvs commit: ports/graphics/GraphicsMagick Makefile distinfo

Bob Friesenhahn bfriesen at simple.dallas.tx.us
Tue Apr 29 14:42:54 UTC 2008


On Tue, 29 Apr 2008, Mikhail Teterin wrote:

> On ???????? 29 ??????? 2008, Henrik Brix Andersen wrote:
> = >   Update to 1.1.12, which (partially) fixes some potential security
> = >   flaws...
> =
> = The flaws are only partially fixed? Or the update is only partially a
> = security update?
>
> My understanding -- from the author's description (CC-ed) -- is that the flaws
> are inherent and can not be /fully/ fixed. ImageMagick and GraphicsMagick
> both look at the filename for the "special characters" and extensions. By
> carefully crafting those, it may be possible to cause them to launch other
> executables...

Yes, this is the case.  The likely file format is derived from the 
file name, which may be over-ridden by an explicit format specifier 
prefix (e.g. "TIFF:foo") or a test of the header of the existing file.

For the extension "X", the request is passed to some X11 support code 
which either imports an image from the screen, or displays the image 
to the screen.

For extensions matching a "delegate" entry in the delegates.mgk XML 
file, the matching delegate entry is executed (executing an external 
program) with the whole filename as its input or output depending on 
usage context.  External program execution is believed to be secure in 
GraphicsMagick but execution of those external programs may be very 
much unwanted in a server context.

This is the summary I wrote for the annoncement text:

  "GraphicsMagick 1.1.12 is now released.  This release helps diminish 
the risk of external delegate exploits, and X11 exploits, via 
carefully-crafted file names.  For example, prior to this release, an 
X11 screen capture could be triggered, a web browser could be started, 
a job could be sent to the printer, and The GIMP could be started, due 
to requesting the read or write of ordinary-looking file names with 
particular extensions.  This issue is not new and in fact has existed 
in ImageMagick since the '90s."

Bob
======================================
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/


More information about the cvs-all mailing list