[GM-announce] "ImageTragick" and GraphicsMagick

[Bob F. <bfr...@si...>]

Some of you may already be aware of an evolving set of ImageMagick 
exploits known as "ImageTragick" (https://imagetragick.com/).

GraphicsMagick forked from ImageMagick in late 2002.  Given its 
ancestry, GraphicsMagick does still share many common design elements 
with modern ImageMagick, including the MVG 'image' primitive.

While the most severe documented issues (e.g. shell commands in URLs) 
do not impact GraphicsMagick at all, it seems likely that some issues 
do impact GraphicsMagick, perhaps given some small modifications.  In 
fact, some issues with GraphicsMagick are already known.

I plan to perform an evaluation and post a report here at the end of 
Sunday, May 8th (approximately 3 days time).

Please take care to assure that use of GraphicsMagick to process 
untrusted files on servers is carefully sandboxed in chrooted 
environments, BSD jails, or Solaris zones, with processes using a user 
id which can not read/write sensitive files, so that the impact of 
exploits is limited.  Also, please take care with personal usages such 
as opening file attachments since a file attachment (even claiming to 
be a PNG or JPEG) might be a trojan and not all is as it seems.

You may be using ImageMagick or GraphicsMagick and not even know since 
desktop evironments often use these to open image files or to test 
what a file is.

Bob
-- 
Bob Friesenhahn
bfr...@si..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/