Ghostscript/ImageMagic: serious vulnerability (patched)

Post your bugs here.
User avatar
ilu
Posts: 2072
Joined: 09 Oct 2013 12:45

Ghostscript/ImageMagic: serious vulnerability (patched)

Postby ilu » 23 Aug 2018 01:12

https://www.kb.cert.org/vuls/id/332928
From https://bugs.chromium.org/p/project-zer ... il?id=1640:
I sent the following mail to the oss-security mailing list:
http://seclists.org/oss-sec/2018/q3/142
These are critical and trivial remote code execution bugs in things like ImageMagick, Evince, GIMP, and most other PDF/PS tools.
... <snip>
TL;DR: I *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default.
Is the workaround applied to /etc/ImageMagick/policy.xml - /etc/ImageMagick-6/ in our case?

Code: Select all

    <policy domain="coder" rights="none" pattern="PS" />
    <policy domain="coder" rights="none" pattern="PS2" />
    <policy domain="coder" rights="none" pattern="PS3" />
    <policy domain="coder" rights="none" pattern="EPS" />
    <policy domain="coder" rights="none" pattern="PDF" />
    <policy domain="coder" rights="none" pattern="XPS" />
PDF is a generally dangerous file format by design. Never open PDFs from untrusted sources!

User avatar
Arjen Balfoort
Site Admin
Posts: 8884
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Ghostscript/ImageMagic: serious vulnerability

Postby Arjen Balfoort » 23 Aug 2018 06:46

If we set these as suggested, does it mean that users won't be able to create/edit those file types?


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2072
Joined: 09 Oct 2013 12:45

Re: Ghostscript/ImageMagic: serious vulnerability

Postby ilu » 23 Aug 2018 16:07

Not with imagemagick or any tools that use it - I think,
I'm not sure what to make of his suggestion. He was originally talking about this on some mailinglist for distro maintainers (no idea which one). So I think his advice is targeted at desktop systems not just servers. I'll discuss this tonight (edit: no results).

We might wait for a fix but I'm not sure that'll be coming soon. I can't even find the bug at debian. No reaction from ghostscript developers, it's not in their bugs database.

We might say. PDFs are already that dangerous by design that we don't care about some CVE. cert.org even suggests to remove ghostscript. That would seriously impact everybodies workflow.

More info: https://threatpost.com/unpatched-ghosts ... ms/136800/

User avatar
ilu
Posts: 2072
Joined: 09 Oct 2013 12:45

Re: Ghostscript/ImageMagic: serious vulnerability

Postby ilu » 08 Sep 2018 17:55

GS got patched today, so prpblem solved.


Return to “Bug control”

Who is online

Users browsing this forum: No registered users and 0 guests