View previous topic :: View next topic |
Author |
Message |
Duncan Mac Leod Guru
Joined: 02 May 2004 Posts: 304 Location: Germany
|
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue May 10, 2016 7:01 pm Post subject: |
|
|
There's a bug filed; 7.0.1.2 is already in the tree but masked because it breaks compatibility.
In the meantime switching to media-gfx/graphicsmagick may be a better option. |
|
Back to top |
|
|
c00l.wave Apprentice
Joined: 24 Aug 2003 Posts: 264
|
Posted: Wed May 18, 2016 9:47 am Post subject: |
|
|
I'm a bit uncomfortable with GraphicsMagick apparently having a similar issue as ImageMagick (others have been prevented before), which is currently being addressed on SCM. There is a 9999 ebuild on layman overlay "stuff" according to gpo.zugaina.org - did anyone try that yet?
Could the severity of these issues make it reasonable to include a 9999 ebuild into official portage or at least a few patches or a "pre-release" ebuild? I've made sure that my servers don't take images from untrusted sources but I still have a bad feeling about this...
Switching back to ImageMagick is not a real option - their multitude of quirks and issues and incompatible changes compared to GraphicsMagick made me switch from IM to GM in the first place (it was not for security reasons).
Quoting Bob Friesenhahn from their help mailing list regarding "ImageTragick":
Quote: | GraphicsMagick does not suffer from the specific exploits described as
"ImageTragick" because the related code was either re-written to avoid
security issues or the ImageMagick implementation otherwise diverged.
However, there is one serious issue known to me now and I plan to
perform an investigation to make sure that any issues are properly
identified so that they can be addressed in an expedient yet
reasonable way.
Once the investigation has been performed, I plan to post to the
GraphicsMagick announcements list regarding any local
fixes/work-arounds which can be made without needing to upgrade
GraphicsMagick or which could be applied to an existing release of
GraphicsMagick to make it safer.
GraphicsMagick makes only two or three releases per year and many
people do not have a reasonable opportunity to use the latest release
because they use the release that their OS distribution provides. For
example, stable Ubuntu 14.04 is providing 1.3.18, which was released
in March of 2013. A very large number of security fixes have been
made since that release. |
I think it's about this commit.
BTW, it may be a good idea to stabilize 1.3.23, just in case there have been related changes. Gentoo currently only lists 1.3.18 as stable. _________________ nohup nice -n -20 cp /dev/urandom /dev/null & |
|
Back to top |
|
|
Duncan Mac Leod Guru
Joined: 02 May 2004 Posts: 304 Location: Germany
|
Posted: Wed May 18, 2016 1:07 pm Post subject: |
|
|
Ant P. wrote: | There's a bug filed; 7.0.1.2 is already in the tree but masked because it breaks compatibility. |
Why not backport the fix? |
|
Back to top |
|
|
rini17 n00b
Joined: 04 Jan 2006 Posts: 25 Location: Bratislava, Slovakia
|
Posted: Sun May 29, 2016 5:39 pm Post subject: |
|
|
Ant P. wrote: | In the meantime switching to media-gfx/graphicsmagick may be a better option. |
How do I do it? Tried -imagemagick graphicsmagick useflags, but some packages (lyx,octave,calibre, indirectly inkscape) still depend on IM and it causes a conflict. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun May 29, 2016 7:45 pm Post subject: |
|
|
rini17 wrote: | Ant P. wrote: | In the meantime switching to media-gfx/graphicsmagick may be a better option. |
How do I do it? Tried -imagemagick graphicsmagick useflags, but some packages (lyx,octave,calibre, indirectly inkscape) still depend on IM and it causes a conflict. |
rini17 ... you want to set the 'imagemagick' useflag on media-gfx/graphicsmagick, I have the following:
/etc/portage/package.use: | media-gfx/graphicsmagick fontconfig imagemagick jpeg jpeg2k lcms lzma png postscript X |
... and the packages dependent media-gfx/graphicsmagick[imagemagick] function exactly as they would with media-gfx/imagemagick.
Note, obviously media-gfx/imagemagick would need to be removed prior to installing media-gfx/graphicsmagick[imagemagick] (as they conflict).
best ... khay |
|
Back to top |
|
|
c00l.wave Apprentice
Joined: 24 Aug 2003 Posts: 264
|
Posted: Sun May 29, 2016 7:54 pm Post subject: |
|
|
AFAIK ImageMagick is now more secure than GraphicsMagick when it comes to those "ImageTragick"-related issues as the delegates/policy workarounds appear to have been implemented on portage but GM does not offer any such options. So, I'm not entirely sure what to do about GM. _________________ nohup nice -n -20 cp /dev/urandom /dev/null & |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sun May 29, 2016 9:37 pm Post subject: |
|
|
c00l.wave wrote: | AFAIK ImageMagick is now more secure than GraphicsMagick when it comes to those "ImageTragick"-related issues as the delegates/policy workarounds appear to have been implemented on portage but GM does not offer any such options. So, I'm not entirely sure what to do about GM. |
c00l.wave ... graphicsmagick is a different codebase (independent of imagemagick since 2002), I'm fairly certain that Ermishkin and Stewie, or indeed anyone, could test graphicsmagick for the same CVE's ... you're suggesting this hasn't happened and that the same issues are part of the graphicsmagick codebase, I suggest you provide evidence of this being the case.
best ... khay |
|
Back to top |
|
|
c00l.wave Apprentice
Joined: 24 Aug 2003 Posts: 264
|
Posted: Sun May 29, 2016 9:46 pm Post subject: |
|
|
khayyam wrote: | I suggest you provide evidence of this being the case. |
Maybe you missed my post above from 18 May. Gentoo hasn't stabilized the latest release although GM's main developer (at least I assume he is) clearly states that there have been a number of security-relevant patches since the pretty old 1.3.18 release that is stable on portage... Also see the commit I mentioned and tell me again it is not related to "ImageTragick" investigation.
Yes, GM has been forked a long time ago and yes, GM has indeed taken better pre-cautions to avoid what has just happened with IM. But that doesn't mean GM is completely bug-free and unaffected. And I don't see an easy way to disable the image formats or resource protocols in GM as, apparently, you can do in more recent IM versions (delegate & policy files). Or maybe I'm just blind - can you tell me where I can implement similar workarounds in GM as were proposed and implemented for IM? I couldn't find anything like that.
It may not be possible to run the IM exploits against GM but I doubt it's impossible to write an exploit against GM, especially the 1.3.18 release everyone on Gentoo is still installing unless using keywords. I'd be careful to call 1.3.18 secure if you read the changelog. _________________ nohup nice -n -20 cp /dev/urandom /dev/null & |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Mon May 30, 2016 3:07 pm Post subject: |
|
|
c00l.wave wrote: | khayyam wrote: | I suggest you provide evidence of this being the case. |
Maybe you missed my post above from 18 May. Gentoo hasn't stabilized the latest release although GM's main developer (at least I assume he is) clearly states that there have been a number of security-relevant patches since the pretty old 1.3.18 release that is stable on portage... Also see the commit I mentioned and tell me again it is not related to "ImageTragick" investigation. |
c00l.wave ... yes, I did miss that post, and yes sanity checking image path is "tragick".
c00l.wave wrote: | It may not be possible to run the IM exploits against GM but I doubt it's impossible to write an exploit against GM, especially the 1.3.18 release everyone on Gentoo is still installing unless using keywords. I'd be careful to call 1.3.18 secure if you read the changelog. |
OK, but the issue here is not with graphicsmagick but with distro's, gentoo specifically.
best ... khay |
|
Back to top |
|
|
pjeutr n00b
Joined: 29 Aug 2006 Posts: 21
|
Posted: Mon May 30, 2016 8:01 pm Post subject: GraphicsMagick and ImageMagick popen() shell vulnerability |
|
|
There's another serious security issue with ImageMagick
http://permalink.gmane.org/gmane.comp.security.oss.general/19669
Doesn't seem to be related to previous one in this thread.
Solution seems simple but I don't know the impact of disabling popen.
Any expert opinion? |
|
Back to top |
|
|
c00l.wave Apprentice
Joined: 24 Aug 2003 Posts: 264
|
Posted: Mon May 30, 2016 8:08 pm Post subject: |
|
|
In this case I'm actually fine with what the others said - wait for GM 1.3.24 to show up in portage (got released today) and replace IM. I guess this will actually kick 1.3.18 out of portage (or at least hard-mask it) and instead stabilize 1.3.24.
For GM: https://bugs.gentoo.org/show_bug.cgi?id=584512 _________________ nohup nice -n -20 cp /dev/urandom /dev/null & |
|
Back to top |
|
|
pjeutr n00b
Joined: 29 Aug 2006 Posts: 21
|
Posted: Mon May 30, 2016 9:16 pm Post subject: |
|
|
Ok, In the meantime I'll check if I want to replace IM for GM. I'm not savvy with the pro's and con's |
|
Back to top |
|
|
|