[GM-announce] "ImageTragick" and GraphicsMagick
Swiss army knife of image processing
Brought to you by:
bfriesen
From: Bob F. <bfr...@si...> - 2016-05-05 18:43:31
|
Some of you may already be aware of an evolving set of ImageMagick exploits known as "ImageTragick" (https://imagetragick.com/). GraphicsMagick forked from ImageMagick in late 2002. Given its ancestry, GraphicsMagick does still share many common design elements with modern ImageMagick, including the MVG 'image' primitive. While the most severe documented issues (e.g. shell commands in URLs) do not impact GraphicsMagick at all, it seems likely that some issues do impact GraphicsMagick, perhaps given some small modifications. In fact, some issues with GraphicsMagick are already known. I plan to perform an evaluation and post a report here at the end of Sunday, May 8th (approximately 3 days time). Please take care to assure that use of GraphicsMagick to process untrusted files on servers is carefully sandboxed in chrooted environments, BSD jails, or Solaris zones, with processes using a user id which can not read/write sensitive files, so that the impact of exploits is limited. Also, please take care with personal usages such as opening file attachments since a file attachment (even claiming to be a PNG or JPEG) might be a trojan and not all is as it seems. You may be using ImageMagick or GraphicsMagick and not even know since desktop evironments often use these to open image files or to test what a file is. Bob -- Bob Friesenhahn bfr...@si..., http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ |