[gentoo-user] ImageMagick-7 security

[gentoo-user] ImageMagick-7 security

[Mick]

[-- Attachment #1: Type: text/plain, Size: 459 bytes --]

I noticed this enotice in imagemagick:

 * For security reasons, a policy.xml file was installed in /etc/ImageMagick-7
 * which will prevent the usage of the following coders by default:
 *           
 *   - PS    
 *   - EPS   
 *   - PDF   
 *   - XPS   

Excuse my ignorance, but I am not sure why the above PS related files are 
disabled.  What is the security threat exactly?  JavaScript contents which may 
be executed by ImageMagick?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] Re: ImageMagick-7 security

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]

On Thursday, 23 August 2018 09:06:12 BST Mick wrote:
> I noticed this enotice in imagemagick:
> 
>  * For security reasons, a policy.xml file was installed in
> /etc/ImageMagick-7 * which will prevent the usage of the following coders
> by default: *
>  *   - PS
>  *   - EPS
>  *   - PDF
>  *   - XPS
> 
> Excuse my ignorance, but I am not sure why the above PS related files are
> disabled.  What is the security threat exactly?  JavaScript contents which
> may be executed by ImageMagick?

My google-fu is rusty this morn - I found this explanation[1]:

"ImageMagick allows to process files with external libraries. This feature is 
called 'delegate'. It is implemented as a system() with command string 
('command') from the config file delegates.xml with actual value for different 
params (input/output filenames etc). Due to insufficient %M param filtering it 
is possible to conduct shell command injection."

So, remote code execution is one such vulnerability.

[1] https://imagetragick.com/

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] ImageMagick-7 security

[Peter Humphrey]

On Thursday, 23 August 2018 09:06:12 BST Mick wrote:
> I noticed this enotice in imagemagick:
> 
>  * For security reasons, a policy.xml file was installed in
> /etc/ImageMagick-7 * which will prevent the usage of the following coders
> by default: *
>  *   - PS
>  *   - EPS
>  *   - PDF
>  *   - XPS
> 
> Excuse my ignorance, but I am not sure why the above PS related files are
> disabled.  What is the security threat exactly?  JavaScript contents which
> may be executed by ImageMagick?

That prompted me to emerge -K imagemagick, and I saw the same. But just 
before the line " * For security reasons..." was this:

/var/tmp/portage/media-gfx/imagemagick-7.0.8.10-r1/temp/environment: line 
2260: version_is_at_least: command not found

So that's two mysteries.

-- 
Regards,
Peter.

Re: [gentoo-user] ImageMagick-7 security

[Corentin “Nado” Pazdera]

August 23, 2018 10:12 AM, "Peter Humphrey" <peter@prh.myzen.co.uk> wrote:

> That prompted me to emerge -K imagemagick, and I saw the same. But just
> before the line " * For security reasons..." was this:
> 
> /var/tmp/portage/media-gfx/imagemagick-7.0.8.10-r1/temp/environment: line
> 2260: version_is_at_least: command not found

That's from versionator.eclass which is ditched in favor of eapi7-er.eclass or directly integrated
in portage from eapi 7.

The ebuild has been ported to eapi7-ver without updating all previous calls to functions from
eapi7-er.

This is a bug that should be reported.

Regards,
Corentin “Nado” Pazdera

Re: [gentoo-user] ImageMagick-7 security

[Corentin “Nado” Pazdera]

August 23, 2018 10:28 AM, "Corentin “Nado” Pazdera" <nado@troglodyte.be> wrote:

> August 23, 2018 10:12 AM, "Peter Humphrey" <peter@prh.myzen.co.uk> wrote:
> 
>> That prompted me to emerge -K imagemagick, and I saw the same. But just
>> before the line " * For security reasons..." was this:
>> 
>> /var/tmp/portage/media-gfx/imagemagick-7.0.8.10-r1/temp/environment: line
>> 2260: version_is_at_least: command not found
> 
> That's from versionator.eclass which is ditched in favor of eapi7-er.eclass or directly integrated
> in portage from eapi 7.
> 
> The ebuild has been ported to eapi7-ver without updating all previous calls to functions from
> eapi7-er.
from versionator*
> 
> This is a bug that should be reported.

Also, link to the commit :
https://gitweb.gentoo.org/repo/gentoo.git/diff/media-gfx/imagemagick/imagemagick-7.0.8.10-r1.ebuild?id=02765dfc333e578af9e3fd525fc0067dc47d6528


Corentin “Nado” Pazdera

Re: [gentoo-user] ImageMagick-7 security

[Peter Humphrey]

On Thursday, 23 August 2018 09:28:03 BST Corentin “Nado” Pazdera wrote:
> August 23, 2018 10:12 AM, "Peter Humphrey" <peter@prh.myzen.co.uk> wrote:
> > That prompted me to emerge -K imagemagick, and I saw the same. But just
> > before the line " * For security reasons..." was this:
> > 
> > /var/tmp/portage/media-gfx/imagemagick-7.0.8.10-r1/temp/environment:
> > line 2260: version_is_at_least: command not found
> 
> That's from versionator.eclass which is ditched in favor of
> eapi7-er.eclass or directly integrated in portage from eapi 7.
> 
> The ebuild has been ported to eapi7-ver without updating all previous
> calls to functions from eapi7-er.
> 
> This is a bug that should be reported.

Done:   https://bugs.gentoo.org/664348 .

-- 
Regards,
Peter.

[gentoo-user] Re: ImageMagick-7 security

[Ian Zimmerman]

On 2018-08-23 09:06, Mick wrote:

>  * For security reasons, a policy.xml file was installed in
>  * /etc/ImageMagick-7 which will prevent the usage of the following
>  * coders by default:
>  *           
>  *   - PS    
>  *   - EPS   
>  *   - PDF   
>  *   - XPS   

IM spawns ghostscript for these formats, and ghostscript is full of
holes (so to speak).  See following post and its descendants:

http://www.openwall.com/lists/oss-security/2018/08/21/2

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.