Bugzilla – Bug 982178
VUL-0: CVE-2016-5118: ImageMagick, GraphicsMagick: popen() shell vulnerability via filename
Last modified: 2019-08-16 17:17:11 UTC
CVE-2016-5118 > if the first character of the file specification is > a '|', then the remainder of the filename is passed to the shell for > execution using the POSIX popen(3C) function > > The simple solution to the problem is to disable the popen support > (HAVE_POPEN) in GraphicsMagick's magick/blob.c as is done by the > attached patch. Use CVE-2016-5118. > Previously supplied recommended patches for GraphicsMagick do > successfully block this attack vector in SVG and MVG. If there was a previous announcement of a vulnerability fix for a subset of the exploitation methodologies, then a separate CVE ID is also needed. The scope of CVE-2016-5118 is only the new "initial | character" information announced in the http://www.openwall.com/lists/oss-security/2016/05/29/7 post. (For example, if there had previously been any type of announcement that the xlink:href="| substring was being blocked in the native SVG readers, then that can have its own unique CVE ID.) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5118 http://seclists.org/oss-sec/2016/q2/433 http://www.openwall.com/lists/oss-security/2016/05/29/7
The funtionality can be demonstrated as follows: % rm -f hello.txt % convert '|echo Hello > hello.txt;' null: % ls hello.txt hello.txt More details can be found in the original post. http://seclists.org/oss-sec/2016/q2/432 disable-popen-filename.patch: diff -r 33200fc645f6 magick/blob.c --- a/magick/blob.c Sat Nov 07 14:49:16 2015 -0600 +++ b/magick/blob.c Sun May 29 14:12:57 2016 -0500 @@ -68,6 +68,7 @@ */ #define DefaultBlobQuantum 65541 +#undef HAVE_POPEN /* Enum declarations.
RedHat Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1340814
Same CVE number should be used for both ImageMagick and GraphicsMagick?
BEFORE: see comment 0 AFTER: $ rm -f hello.txt; gm convert '|echo Hello > hello.txt;' null:; cat hello.txt gm convert: Unable to open file (|echo Hello > hello.txt;) [No such file or directory]. cat: hello.txt: No such file or directory $
This is an autogenerated message for OBS integration: This bug (982178) was mentioned in https://build.opensuse.org/request/show/398980 Factory / GraphicsMagick https://build.opensuse.org/request/show/398981 13.2 / GraphicsMagick https://build.opensuse.org/request/show/398982 42.1 / GraphicsMagick
BEFORE: see comment 0 AFTER: $ rm -f hello.txt; convert '|echo Hello > hello.txt;' null:; cat hello.txt Magick: unable to open image `|echo Hello > hello.txt;': No such file or directory @ error/blob.c/OpenBlob/2705. Magick: no decode delegate for this image format `TXT;' @ error/constitute.c/ReadImage/501. Magick: no images defined `null:' @ error/convert.c/ConvertImageCommand/3257. cat: hello.txt: No such file or directory $
bugbot adjusting priority
Packages submitted.
This is an autogenerated message for OBS integration: This bug (982178) was mentioned in https://build.opensuse.org/request/show/399073 13.2 / ImageMagick https://build.opensuse.org/request/show/399075 Factory / ImageMagick
openSUSE-SU-2016:1521-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 982178 CVE References: CVE-2016-5118 Sources used: openSUSE Leap 42.1 (src): GraphicsMagick-1.3.21-8.1
openSUSE-SU-2016:1522-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 982178 CVE References: CVE-2016-5118 Sources used: openSUSE 13.2 (src): GraphicsMagick-1.3.20-6.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-06-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62808
openSUSE-SU-2016:1534-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 982178 CVE References: CVE-2016-5118 Sources used: openSUSE 13.2 (src): ImageMagick-6.8.9.8-21.1
SUSE-SU-2016:1570-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 867943,982178 CVE References: CVE-2016-5118 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): ImageMagick-6.8.8.1-25.1 SUSE Linux Enterprise Workstation Extension 12 (src): ImageMagick-6.8.8.1-25.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ImageMagick-6.8.8.1-25.1 SUSE Linux Enterprise Software Development Kit 12 (src): ImageMagick-6.8.8.1-25.1 SUSE Linux Enterprise Server 12-SP1 (src): ImageMagick-6.8.8.1-25.1 SUSE Linux Enterprise Server 12 (src): ImageMagick-6.8.8.1-25.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ImageMagick-6.8.8.1-25.1 SUSE Linux Enterprise Desktop 12 (src): ImageMagick-6.8.8.1-25.1
SUSE-SU-2016:1610-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 982178 CVE References: CVE-2016-5118 Sources used: SUSE OpenStack Cloud 5 (src): ImageMagick-6.4.3.6-7.40.1 SUSE Manager Proxy 2.1 (src): ImageMagick-6.4.3.6-7.40.1 SUSE Manager 2.1 (src): ImageMagick-6.4.3.6-7.40.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): ImageMagick-6.4.3.6-7.40.1 SUSE Linux Enterprise Server 11-SP4 (src): ImageMagick-6.4.3.6-7.40.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): ImageMagick-6.4.3.6-7.40.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): ImageMagick-6.4.3.6-7.40.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): ImageMagick-6.4.3.6-7.40.1
SUSE-SU-2016:1614-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 851064,965574,982178 CVE References: CVE-2013-4589,CVE-2015-8808,CVE-2016-5118 Sources used: SUSE Studio Onsite 1.3 (src): GraphicsMagick-1.2.5-4.38.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): GraphicsMagick-1.2.5-4.38.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): GraphicsMagick-1.2.5-4.38.1
released. needinfo on alex ... i think the same CVE should be used
openSUSE-SU-2016:1653-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 867943,982178 CVE References: CVE-2016-5118 Sources used: openSUSE Leap 42.1 (src): ImageMagick-6.8.8.1-12.1
This is an autogenerated message for OBS integration: This bug (982178) was mentioned in https://build.opensuse.org/request/show/442718 42.2 / GraphicsMagick
openSUSE-SU-2016:3060-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 1000399,1000434,1000689,1000698,1000704,1000707,1000711,1001066,1001221,1002206,1002209,1002422,1003629,1005123,1005125,1005127,1007245,1011130,982178,983521,983752,983794,983799,984145,984150,984166,984372,984375,984394,984400,984436 CVE References: CVE-2014-9805,CVE-2014-9807,CVE-2014-9809,CVE-2014-9815,CVE-2014-9817,CVE-2014-9820,CVE-2014-9831,CVE-2014-9834,CVE-2014-9835,CVE-2014-9837,CVE-2014-9845,CVE-2014-9846,CVE-2014-9853,CVE-2016-5118,CVE-2016-6823,CVE-2016-7101,CVE-2016-7515,CVE-2016-7522,CVE-2016-7528,CVE-2016-7529,CVE-2016-7531,CVE-2016-7533,CVE-2016-7537,CVE-2016-7800,CVE-2016-7996,CVE-2016-7997,CVE-2016-8682,CVE-2016-8683,CVE-2016-8684,CVE-2016-8862,CVE-2016-9556 Sources used: openSUSE Leap 42.2 (src): GraphicsMagick-1.3.25-3.1