==================================================================== CERT-Renater Note d'Information No. 2016/VULN232 _____________________________________________________________________ DATE : 01/06/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running GraphicsMagick versions prior to 1.3.24. ====================================================================== https://sourceforge.net/projects/graphicsmagick/files/graphicsmagick/1.3.24/ ____________________________________________________________________ GraphicsMagick 1.3.24 (http://www.graphicsmagick.org/) is now available. This release provides urgent fixes for two possible shell exploits (arbitrary shell code executed on your computer due to opening a file). The shell exploits could be triggered by opening an untrusted SVG, MVG, or gnuplot file. It is possible that there are other possible paths to the same weakness that we are not aware of. The weaknesses have been removed. We first became concious of potential risks due to the "ImageTragick" (see https://imagetragick.com/) ImageMagick exploits. GraphicsMagick's delegates system does not suffer from the weakness which inspired "ImageTragick" but we became aware that 'gnuplot's system() command could be used to execute arbitrary shell code so we removed support for opening gnuplot files from delegates.mgk. Yesterday I became aware that a seldom-used feature (inherited from ImageMagick) in which filenames beginning with the '|' character execute a shell command to read or write an image could also be exploited in all released versions of GraphicsMagick (and ImageMagick as well). See "http://www.openwall.com/lists/oss-security/2016/05/29/7"; for details on this exploit. In this case we also removed the feature since removing it avoids the ability to execute arbitrary shell code based on a "filename". We have been kept busy fixing weaknesses (problems caused by intentionally corrupted files) discovered by security researchers. We would like to thank Hanno Böck, Gustavo Grieco, and Jodie Cunningham for running fuzzer programs and providing us with files which caused problems for GraphicsMagick. We would like to thank John Lightsey for identifying the Gnuplot weakness. We would like to thank David Chan for reporting that -dSAFER should be used with Ghostscript to assure that Postscript can not read/write files. The following is the NEWS text associated with the release: Special Issues: * A shell exploit (CVE-2016-5118) was discovered associated with a filename syntax where file names starting with '|' are intepreted as shell commands executed via popen(). Insufficient sanitization in the SVG and MVG renderers allows such filenames to be passed through from potentially untrusted files. There might be other ways for untrusted inputs to produce such filenames. Due to this issue, support for the feature is removed entirely. * A shell exploit was discovered associated with the gnuplot delegate and which is triggered by the 'gplt' entry in delegates.mgk. A remote exploit is possible if the attacker can cause a provided SVG or MVG file to be rendered (or the user opens a provided file). The gnuplot program must be installed in order for the exploit to be successful. It is strongly recommended to remove this entry in all delegates.mgk files. * Due to `GCC bug 53967`_, several key agorithms (e.g. convolution) may execute much faster (e.g. 2-3X) for x86-64 and/or when SSE is enabled for floating point math (`-mfpmath=sse`) if the GCC option `-frename-registers` is used. Default 32-bit builds do not experience the problem since they use '387 math. It is not clear in what version of GCC this problem started but it was not noticed by the developers until the GCC 4.6 timeframe. Other compilers do not suffer from this bug. Please lobby the GCC project to fix this embarrassing performance bug. Security Fixes: * BLOB: Remove support for reading input from a shell command, or writing output to a shell command, by prefixing the specified filename (containing the command) with a '|'. This feature provided a remote shell execution opportunity. * DIB: Fixed out of bounds reads. Added more header validations. * JNG: File size limits are enforced. * MAT: Fixed denial of service opportunity. Fix hang on corrupt deflate stream. * META: Fixed out of bounds reads and writes. * MIFF: Fixed thrown assertion. * MSL: Ignore the file extension on MSL files. It is necessary to add a "msl:" prefix to MSL files to read the as an image. * MVG: No longer assume that files ending with extension ".mvg" are MVG files. MVG parsing does more validity checking on its input. Assure that enough PrimitiveInfo structures are allocated in advance to support a given vector path (heap overflow problem). * PCX: Fixed unreasonable memory allocation due to intentionally corrupt file. * PDB: Fixed a heap buffer overflow and out of bounds read. * PICT: Fixed an out of bounds write. * PS: Ghostscript is now always run with -dSAFER for safer execution. * PSD: Fixed segmentation violations, heap buffer overflows, and out of bounds writes. * RLE: Fixed out of bounds reads and writes. * ReadImages(): Fixed a possible infinite recursion due to a crafted input file. * RotateImage(): Fixed thrown assertion. * SGI: Fixed out of bounds writes. * SUN: Fixed out of bounds reads and writes. * SVG: Fixed heap and stack buffer overflows, as well as segmentation violations (CVE-2016-2317 and CVE-2016-2318). Also fixed endless loop, unexpectedly large memory allocation, divide by zero, and recursion issues. * TIFF: Fixed an assertion while reading. Fixed benign heap overflow. * TMP: Adding a "tmp:" prefix to a filename no longer removes the file since this seems dangerous. * VIFF: Fix excessive memory allocation with intentionally corrupted input file. * XCF: Fixed a heap buffer overflow. * XPM: Fixed several heap buffer overflows, and out of bound reads/writes. Also fixed a case of excessive memory allocation. * delegate.mgk: The default delegate.mgk file has been pared down in order to reduce security exposure. * gnuplot ('gplt' delegate in delegates.mgk): Support for rendering gnuplot files is removed since the format is inherently insecure. * File names: File names starting with a '|' character are no longer interpreted as shell commands to be executed as input or output. Bug fixes: * BMP: Fix reading 24-bit Microsoft BMP which claims to have a colormap. * FILE: `file://` URLs are properly supported now (they never worked before). * JP2: It is now possible to write lossless JPEG 2000 "JP2" format. * SVG: Support font-size "medium". New Features: * Blob I/O C APIs: Added signed versions of short and long Read/Write functions. * FILE: `file://` URLs are properly supported now (they never worked before). * MAT: Matlab V4 is now partially supported. * Magick++: Added double-precision xResolution() and yResolution() methods to support setting the horizontal and vertical resolution with double floating point precision. * Mogrify now supports a -preserve-timestamp option to preserve file access and modification timestamps. Feature improvements: Windows Delegate Updates/Additions: * Updated bundled libpng to release 1.6.19. * Updated bundled libwebp to release 0.4.4. * Update bundled libxml2 to release 2.9.3. * Update bundled freetype to release 2.6.2. Build Changes: * Added ``--enable-broken-coders`` configure option to enable file format support which may be broken or cause security issues. The PSD format is now classified as "broken" (until it is fixed). Behavior Changes: * PSD format is not included in the build by default. * Files ending with ".mvg" and ".msl" are not assumed to be image files by default. * File names starting with '|' are no longer treated as shell commands. * Gnuplot and POV delegate support is removed from the default delegate.mgk file. -- Bob Friesenhahn bfriesen@..., http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================