Security GraphicsMagick and ImageMagick popen() shell vulnerability via filename

Revenge · Jun 1, 2016

All existing releases of GraphicsMagick and ImageMagick support a file
open syntax where if the first character of the file specification is
a '|', then the remainder of the filename is passed to the shell for
execution using the POSIX popen(3C) function. File opening is handled
by an OpenBlob() function in the source file blob.c. Unlike the
vulnerability described by CVE-2016-3714, this functionality is
supported by the core file opening function rather than a delegates
subsystem usually used to execute external programs.
Click to expand...

CVE Request: GraphicsMagick and ImageMagick popen() shell vulnerabilit

eva2000 · Jun 1, 2016

remi repo already updated i think

Code (Text):

rpm -q ImageMagick-last
ImageMagick-last-6.9.4.4-1.el6.remi.x86_64

Code (Text):

rpm -q --changelog ImageMagick-last | head -n6
* Fri May 27 2016 Remi Collet <remi@remirepo.net> - 6.9.4.4-1
- update to version 6.9.4 patchlevel 4

* Thu May 19 2016 Remi Collet <remi@remirepo.net> - 6.9.4.3-1
- update to version 6.9.4 patchlevel 3

shame the changelog doesn't have any details

doing check

Code (Text):

convert '|echo Hello > hello.txt;' null:
convert: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/504.
convert: no images defined `null:' @ error/convert.c/ConvertImageCommand/3257.
ls hello.txt
hello.txt

Log in / Register

Forums

Join the community today

Security GraphicsMagick and ImageMagick popen() shell vulnerability via filename

Revenge Active Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Security GraphicsMagick and ImageMagick popen() shell vulnerability via filename

Revenge Active Member

eva2000 Administrator Staff Member

.