[GM-announce] GraphicsMagick server exploits possible

[Bob F. <bfr...@si...>]

Today we heard of a GraphicsMagick 1.1.7 server installation where 
'gm' processes appeared to be listening for connections on port 80 
(the HTTP port).  GraphicsMagick is not designed to listen on a 
network port, but code does exist in libxml2 which can listen on a 
port and this code may be exercised by requesting to load an image 
from a ftp:// URL.  A bit of research reveals that there are known 
libxml2 exploits (e.g. http://marc.info/?l=bugtraq&m=109880813013482) 
which might be engaged via known exploits in this old version of 
GraphicsMagick (and old ImageMagick as well).

If you are using GraphicsMagick in a server application, please take 
care to make sure that you are using a modern release (e.g. 1.1.14 and 
1.2.5 include a large number of security fixes) and that the installed 
libxml2 is fully patched, or believed to be a secure version.

Thanks,

Bob
======================================
Bob Friesenhahn
bfr...@si..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/