oss-sec mailing list archives

Re: CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename

From: cve-assign () mitre org
Date: Sun, 29 May 2016 22:02:53 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

if the first character of the file specification is
a '|', then the remainder of the filename is passed to the shell for
execution using the POSIX popen(3C) function

The simple solution to the problem is to disable the popen support
(HAVE_POPEN) in GraphicsMagick's magick/blob.c as is done by the
attached patch.


Use CVE-2016-5118.

Previously supplied recommended patches for GraphicsMagick do
successfully block this attack vector in SVG and MVG.


If there was a previous announcement of a vulnerability fix for a
subset of the exploitation methodologies, then a separate CVE ID is
also needed. The scope of CVE-2016-5118 is only the new "initial |
character" information announced in the
http://www.openwall.com/lists/oss-security/2016/05/29/7 post.

(For example, if there had previously been any type of announcement
that the

  xlink:href="|

substring was being blocked in the native SVG readers, then that can
have its own unique CVE ID.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXS57cAAoJEHb/MwWLVhi2MksP/j43+PGhpwdmLcAn0snPrMNM
1uVyeMvOasjPoIWqshe45UUIXUrBN9PdtlueJhsxEl6WtO/QUSRnVk+mVQShnOMq
K4KRqEk/7k0D7txEkulMwLK8phA2bMUGNX/YbliMBJD0z7YOB2dR7H97TszpJ0p1
rAudJXHiW4IUyNgZm/jjohhyA70jUl5XhwuAGVLoudrJeGnsJZ5e5Vbp130sGkgD
R8KUpmy4Bl2c04aWaevkSc4jKfL8qBUwxSZC6cHxo3au+7NnXCZ/fJhejV/p0phA
vq99kKlT/IqXQ+ON4T6AdzGpn4a+EVhp9pn6pknNg9vHtBpvEQuX8jeJx9jMdtIc
er9soxqmckeMEwoiJ9Hdm3SHYlH/orb9n3C+Woe18BLR3VjRMZA6PL9SBfVbkET0
Evtnui7BBUiYtVX62K2OTp+uTc2wfRKj7+paSAT5bGBfspD0p1heOfHeWJzJd28B
UNbhfS5mhpDKHLDKDeaQQjCE/icPyfsZsvlcsnGeSg1Pta1AtBiZYauiae7jCscX
BQTBoV7TTSbVfx1VP6jy9jGD30RW0Uj4c85wyDuRYmlOqzCE7/H/SGASjxGqQvLX
GjDHzDF0xvEbTqMyw+8yn/3eCW8eZy/y50DMc2TLdYpWIHQfMsWMY8K3LOS/tcaF
iOspq5Qmc+dxTuYQguTz
=7jWy
-----END PGP SIGNATURE-----

Current thread:

CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename Bob Friesenhahn (May 29)
- Re: CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerability via filename cve-assign (May 29)