From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: Requesting advice on ImageMagick popen() filename vulnerability
	(CVE-2016-5118)
Date: Tue, 31 May 2016 13:40:02 -0400
Message-ID: <20160531174002.GA17530@jasmine>
References: <20160531170205.GA355@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56927)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b7neQ-0007Bs-BL
	for guix-devel@gnu.org; Tue, 31 May 2016 13:40:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b7neL-0003oL-BT
	for guix-devel@gnu.org; Tue, 31 May 2016 13:40:21 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:50274)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b7neJ-0003ki-TT
	for guix-devel@gnu.org; Tue, 31 May 2016 13:40:17 -0400
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 56928F2A55
	for <guix-devel@gnu.org>; Tue, 31 May 2016 13:40:07 -0400 (EDT)
Content-Disposition: inline
In-Reply-To: <20160531170205.GA355@jasmine>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

On Tue, May 31, 2016 at 01:02:05PM -0400, Leo Famulari wrote:
> CVE-2016-5118 is a bug in GraphicsMagick and ImageMagick whereby
> one can get shell execution by passing the libraries a file whose name
> begins with the pipe character, |.
> 
> http://seclists.org/oss-sec/2016/q2/433
> 
> We (crudely) fixed this for GraphicsMagick in d8862778c1b.
> 
> Now I see that ImageMagick has suggested a similar interim fix on their
> forums:
> https://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=29803#p134039
> 
> Also, they have begun committing mitigations to their Git repository:
> http://git.imagemagick.org/repos/ImageMagick/commit/ca430ff77794980941ff0fa0d2fc463b50c2c6b7
> 
> I plan to fix this in our package using the "crude" option until
> ImageMagick releases a new version, which seems to be happening every
> few days.

Done, as e88eb07110a.