Discussion:
[GM-help] ImageTragick
Max Baum
2016-05-04 19:52:32 UTC
Permalink
Hi all,


is GraphicsMagick in any way affected by the current security issues
found in ImageMagick?

From your Website: "GraphicsMagick is originally derived from ImageMagick 5.5.2"

I´m pretty sure you already know it but here some infos to the issues:
https://imagetragick.com/
http://www.openwall.com/lists/oss-security/2016/05/03/18

Thanks in advance!

Best,

Max
Bob Friesenhahn
2016-05-04 20:23:56 UTC
Permalink
Post by Max Baum
Hi all,
is GraphicsMagick in any way affected by the current security issues
found in ImageMagick?
GraphicsMagick does not suffer from the specific exploits described as
"ImageTragick" because the related code was either re-written to avoid
security issues or the ImageMagick implementation otherwise diverged.

However, there is one serious issue known to me now and I plan to
perform an investigation to make sure that any issues are properly
identified so that they can be addressed in an expedient yet
reasonable way.

Once the investigation has been performed, I plan to post to the
GraphicsMagick announcements list regarding any local
fixes/work-arounds which can be made without needing to upgrade
GraphicsMagick or which could be applied to an existing release of
GraphicsMagick to make it safer.

GraphicsMagick makes only two or three releases per year and many
people do not have a reasonable opportunity to use the latest release
because they use the release that their OS distribution provides. For
example, stable Ubuntu 14.04 is providing 1.3.18, which was released
in March of 2013. A very large number of security fixes have been
made since that release.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Max Baum
2016-05-04 20:57:48 UTC
Permalink
Hi Bob,

thank you for your fast reply!

Can you share any information about the serious issue you mentioned yet?


Best,

Max
Post by Bob Friesenhahn
Post by Max Baum
Hi all,
is GraphicsMagick in any way affected by the current security issues
found in ImageMagick?
GraphicsMagick does not suffer from the specific exploits described as
"ImageTragick" because the related code was either re-written to avoid
security issues or the ImageMagick implementation otherwise diverged.
However, there is one serious issue known to me now and I plan to
perform an investigation to make sure that any issues are properly
identified so that they can be addressed in an expedient yet
reasonable way.
Once the investigation has been performed, I plan to post to the
GraphicsMagick announcements list regarding any local
fixes/work-arounds which can be made without needing to upgrade
GraphicsMagick or which could be applied to an existing release of
GraphicsMagick to make it safer.
GraphicsMagick makes only two or three releases per year and many
people do not have a reasonable opportunity to use the latest release
because they use the release that their OS distribution provides. For
example, stable Ubuntu 14.04 is providing 1.3.18, which was released
in March of 2013. A very large number of security fixes have been
made since that release.
Bob
--
Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Graphicsmagick-help mailing list
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-help
Bob Friesenhahn
2016-05-04 21:16:43 UTC
Permalink
Post by Max Baum
Hi Bob,
thank you for your fast reply!
Can you share any information about the serious issue you mentioned yet?
Only once I have had a proper chance to look at everything and make an
assessment. If it is disclosed in another way (by the person who
revealed it to me) then it won't matter.

I am at my day job at the moment, which has nothing to do with
GraphicsMagick.

It should not take long (a few hours) to see if there are any other
issues to be concerned about.

Bob
Post by Max Baum
Best,
Max
Post by Bob Friesenhahn
Post by Max Baum
Hi all,
is GraphicsMagick in any way affected by the current security issues
found in ImageMagick?
GraphicsMagick does not suffer from the specific exploits described as
"ImageTragick" because the related code was either re-written to avoid
security issues or the ImageMagick implementation otherwise diverged.
However, there is one serious issue known to me now and I plan to
perform an investigation to make sure that any issues are properly
identified so that they can be addressed in an expedient yet
reasonable way.
Once the investigation has been performed, I plan to post to the
GraphicsMagick announcements list regarding any local
fixes/work-arounds which can be made without needing to upgrade
GraphicsMagick or which could be applied to an existing release of
GraphicsMagick to make it safer.
GraphicsMagick makes only two or three releases per year and many
people do not have a reasonable opportunity to use the latest release
because they use the release that their OS distribution provides. For
example, stable Ubuntu 14.04 is providing 1.3.18, which was released
in March of 2013. A very large number of security fixes have been
made since that release.
Bob
--
Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Graphicsmagick-help mailing list
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-help
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Graphicsmagick-help mailing list
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-help
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Yongjing Lu
2016-05-05 12:41:26 UTC
Permalink
Thanks BobFor everything you have done for GM.
Post by Bob Friesenhahn
Post by Max Baum
Hi Bob,
thank you for your fast reply!
Can you share any information about the serious issue you mentioned yet?
Only once I have had a proper chance to look at everything and make an
assessment. If it is disclosed in another way (by the person who
revealed it to me) then it won't matter.
I am at my day job at the moment, which has nothing to do with
GraphicsMagick.
It should not take long (a few hours) to see if there are any other
issues to be concerned about.
Bob
Post by Max Baum
Best,
Max
Post by Bob Friesenhahn
Post by Max Baum
Hi all,
is GraphicsMagick in any way affected by the current security issues
found in ImageMagick?
GraphicsMagick does not suffer from the specific exploits described as
"ImageTragick" because the related code was either re-written to avoid
security issues or the ImageMagick implementation otherwise diverged.
However, there is one serious issue known to me now and I plan to
perform an investigation to make sure that any issues are properly
identified so that they can be addressed in an expedient yet
reasonable way.
Once the investigation has been performed, I plan to post to the
GraphicsMagick announcements list regarding any local
fixes/work-arounds which can be made without needing to upgrade
GraphicsMagick or which could be applied to an existing release of
GraphicsMagick to make it safer.
GraphicsMagick makes only two or three releases per year and many
people do not have a reasonable opportunity to use the latest release
because they use the release that their OS distribution provides. For
example, stable Ubuntu 14.04 is providing 1.3.18, which was released
in March of 2013. A very large number of security fixes have been
made since that release.
Bob
--
Bob Friesenhahn
http://www.simplesystems.org/users/bfriesen/
Post by Max Baum
Post by Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
------------------------------------------------------------------------------
Post by Max Baum
Post by Bob Friesenhahn
Find and fix application performance issues faster with Applications
Manager
Post by Max Baum
Post by Bob Friesenhahn
Applications Manager provides deep performance insights into multiple
tiers of
Post by Max Baum
Post by Bob Friesenhahn
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Graphicsmagick-help mailing list
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-help
------------------------------------------------------------------------------
Post by Max Baum
Find and fix application performance issues faster with Applications
Manager
Post by Max Baum
Applications Manager provides deep performance insights into multiple
tiers of
Post by Max Baum
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Graphicsmagick-help mailing list
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-help
--
Bob Friesenhahn
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Graphicsmagick-help mailing list
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-help
Bob Friesenhahn
2016-05-05 13:33:34 UTC
Permalink
Post by Yongjing Lu
Thanks BobFor everything you have done for GM.
I will try not to let you down. :-)

A great many security issues have already been fixed in the
development code since the current release, which itself addressed
many security issues, as did the release before it.

The problems are not limited to GraphicsMagick and in fact the
security issues (most of which are very old!) were found because the
technology to discover such issues has advanced quite a lot in the
past several years.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Loading...