Bug 1380428

Summary: ImageMagick: Hang when supplying file ending with colon to identify
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dmcphers, dmoppert, ethan, jhorak, jialiu, jokerman, kseifried, lmeyer, mmccomas, nmurray, pahan, sardella, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-10 01:00:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1380429    
Bug Blocks: 1380431    

Description Adam Mariš 2016-09-29 14:51:47 UTC 
It was found that ImageMagick hangs if name of supplied file ends with colon ':'. If an attacker is able to have some control over the input file name, then this could be used to cause DOS by hanging the program.

Upstream bug:

https://github.com/ImageMagick/ImageMagick/issues/275

CVE request:

http://seclists.org/oss-sec/2016/q3/628
Comment 1 Adam Mariš 2016-09-29 14:53:03 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 1380429]
Comment 2 Doran Moppert 2016-09-30 00:34:15 UTC 
This manifests differently on rhel-5 and rhel-6 vs rhel-7.

The underlying issue seems to be that ImageMagick treats '' as an alias for stdin (along with '-').

 $ identify -

 $ identify ''

Colon syntax is used to specify the input file type.  On rhel-7, any string can be used:

 [el7]$ identify png:
  <hangs reading stdin>

 [el7]$ identify nonsense:
  <hangs reading stdin>

 [el7]$ identify foo/bar/baz:
  <hangs reading stdin>

on rhel-6 and rhel-5, the prefix must be a known image type:

 [el6]$ identify png:
  <hangs reading stdin>

 [el6]$ identify nonsense:
 identify: no decode delegate for this image format `' @ error/constitute.c/ReadImage/532.


According to a comment on the upstream ticket, the empty string is no longer an
alias for '-' .. possibly since 6.9.4-7 and 7.0.1-1.  There it is also
mentioned that '-' can be denied in policy.xml - unfortunately this doesn't
work for ''.
Comment 4 Doran Moppert 2016-09-30 00:36:39 UTC 
The "colon at end" and ":/dev/stdin" problems can be mitigated by prefixing all
filenames with ':' before passing to ImageMagick:

 $ FILENAME=:http:
 $ cp $testfile $FILENAME
 $ identify :$FILENAME
 ::http:=>:http: PNG 16x16 16x16+0+0 8-bit DirectClass 217B 0.000u 0:00.000

This doesn't deal with filename='-'.  Two strategies are available to handle that:

 1. convert the filename to a qualified path:  ":./-" is safe for a file named "-" in the cwd

 2. create an entry in policy.xml as described in upstream ticket.  This will apply to all uses of ImageMagick, so if some processes have a legitimate use for reading stdin a finer approach is needed.

#2 is not available on rhel-5, as ImageMagick 6.2.8 does not support the policy.xml file.