[GM-announce] GraphicsMagick server exploits possible
Swiss army knife of image processing
Brought to you by:
bfriesen
From: Bob F. <bfr...@si...> - 2008-11-09 17:31:40
|
Today we heard of a GraphicsMagick 1.1.7 server installation where 'gm' processes appeared to be listening for connections on port 80 (the HTTP port). GraphicsMagick is not designed to listen on a network port, but code does exist in libxml2 which can listen on a port and this code may be exercised by requesting to load an image from a ftp:// URL. A bit of research reveals that there are known libxml2 exploits (e.g. http://marc.info/?l=bugtraq&m=109880813013482) which might be engaged via known exploits in this old version of GraphicsMagick (and old ImageMagick as well). If you are using GraphicsMagick in a server application, please take care to make sure that you are using a modern release (e.g. 1.1.14 and 1.2.5 include a large number of security fixes) and that the installed libxml2 is fully patched, or believed to be a secure version. Thanks, Bob ====================================== Bob Friesenhahn bfr...@si..., http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ |