It was found that gnuplot delegate functionality in ImageMagick and GraphicsMagick allows system command injection while interpreting gnuplot files. Upstream patch (ImageMagick): http://git.imagemagick.org/repos/ImageMagick/commit/70a2cf326ed32bedee144b961005 Upstream patch (GraphicsMagick): http://hg.code.sf.net/p/graphicsmagick/code/rev/45998a25992d
Public via: http://www.openwall.com/lists/oss-security/2016/05/09/1
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1237 https://access.redhat.com/errata/RHSA-2016:1237
To clear things up a bit: * gnuplot files should not be processed when coming from an untrusted source, as they can contain dangerous commands. * ImageMagick does not care. If it detects a gnuplot file, it tries to delegate it to gnuplot. If gnuplot is not installed or ImageMagick can't launch gnuplot, there should be no issue. RHEL5 specific: The gnuplot delegation in RHEL5 is broken due to an unrelated issue. ImageMagick fails to launch gnuplot correctly, thus preventing this attack vector.