Hide Forgot
It was found that ImageMagick hangs if name of supplied file ends with colon ':'. If an attacker is able to have some control over the input file name, then this could be used to cause DOS by hanging the program. Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/275 CVE request: http://seclists.org/oss-sec/2016/q3/628
Created ImageMagick tracking bugs for this issue: Affects: fedora-all [bug 1380429]
This manifests differently on rhel-5 and rhel-6 vs rhel-7. The underlying issue seems to be that ImageMagick treats '' as an alias for stdin (along with '-'). $ identify - $ identify '' Colon syntax is used to specify the input file type. On rhel-7, any string can be used: [el7]$ identify png: <hangs reading stdin> [el7]$ identify nonsense: <hangs reading stdin> [el7]$ identify foo/bar/baz: <hangs reading stdin> on rhel-6 and rhel-5, the prefix must be a known image type: [el6]$ identify png: <hangs reading stdin> [el6]$ identify nonsense: identify: no decode delegate for this image format `' @ error/constitute.c/ReadImage/532. According to a comment on the upstream ticket, the empty string is no longer an alias for '-' .. possibly since 6.9.4-7 and 7.0.1-1. There it is also mentioned that '-' can be denied in policy.xml - unfortunately this doesn't work for ''.
The "colon at end" and ":/dev/stdin" problems can be mitigated by prefixing all filenames with ':' before passing to ImageMagick: $ FILENAME=:http: $ cp $testfile $FILENAME $ identify :$FILENAME ::http:=>:http: PNG 16x16 16x16+0+0 8-bit DirectClass 217B 0.000u 0:00.000 This doesn't deal with filename='-'. Two strategies are available to handle that: 1. convert the filename to a qualified path: ":./-" is safe for a file named "-" in the cwd 2. create an entry in policy.xml as described in upstream ticket. This will apply to all uses of ImageMagick, so if some processes have a legitimate use for reading stdin a finer approach is needed. #2 is not available on rhel-5, as ImageMagick 6.2.8 does not support the policy.xml file.