cvs commit: ports/graphics/GraphicsMagick Makefile distinfo
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Tue Apr 29 14:42:54 UTC 2008
On Tue, 29 Apr 2008, Mikhail Teterin wrote:
> On ???????? 29 ??????? 2008, Henrik Brix Andersen wrote:
> = > Update to 1.1.12, which (partially) fixes some potential security
> = > flaws...
> =
> = The flaws are only partially fixed? Or the update is only partially a
> = security update?
>
> My understanding -- from the author's description (CC-ed) -- is that the flaws
> are inherent and can not be /fully/ fixed. ImageMagick and GraphicsMagick
> both look at the filename for the "special characters" and extensions. By
> carefully crafting those, it may be possible to cause them to launch other
> executables...
Yes, this is the case. The likely file format is derived from the
file name, which may be over-ridden by an explicit format specifier
prefix (e.g. "TIFF:foo") or a test of the header of the existing file.
For the extension "X", the request is passed to some X11 support code
which either imports an image from the screen, or displays the image
to the screen.
For extensions matching a "delegate" entry in the delegates.mgk XML
file, the matching delegate entry is executed (executing an external
program) with the whole filename as its input or output depending on
usage context. External program execution is believed to be secure in
GraphicsMagick but execution of those external programs may be very
much unwanted in a server context.
This is the summary I wrote for the annoncement text:
"GraphicsMagick 1.1.12 is now released. This release helps diminish
the risk of external delegate exploits, and X11 exploits, via
carefully-crafted file names. For example, prior to this release, an
X11 screen capture could be triggered, a web browser could be started,
a job could be sent to the printer, and The GIMP could be started, due
to requesting the read or write of ordinary-looking file names with
particular extensions. This issue is not new and in fact has existed
in ImageMagick since the '90s."
Bob
======================================
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
More information about the cvs-ports
mailing list