From: Bob Friesenhahn <bfriesen@si...> - 2008-11-09 17:31:40
Today we heard of a GraphicsMagick 1.1.7 server installation where
'gm' processes appeared to be listening for connections on port 80
(the HTTP port). GraphicsMagick is not designed to listen on a
network port, but code does exist in libxml2 which can listen on a
port and this code may be exercised by requesting to load an image
from a ftp:// URL. A bit of research reveals that there are known
libxml2 exploits (e.g. http://marc.info/?l=bugtraq&m=109880813013482)
which might be engaged via known exploits in this old version of
GraphicsMagick (and old ImageMagick as well).
If you are using GraphicsMagick in a server application, please take
care to make sure that you are using a modern release (e.g. 1.1.14 and
1.2.5 include a large number of security fixes) and that the installed
libxml2 is fully patched, or believed to be a secure version.
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/