Page 1 of 1

Possible security limitation IM 6.9.4.2 and 7.0.1.4 Q16 Mac OSX

Posted: 2016-05-23T16:37:25-07:00
by fmw42
On older systems (6.9.3.7), I can create a textfile and convert it to raster image by

Code: Select all

im6937 convert text.txt test.gif
or

Code: Select all

cat text.txt |\
im6937 convert text:- test.gif
and it works fine.

But on current IM, I get error messages

Code: Select all

convert text.txt test.gif
convert: improper image header `text.txt' @ error/txt.c/ReadTXTImage/440.
convert: no images defined `text.jpg' @ error/convert.c/ConvertImageCommand/3257.

Code: Select all

cat text.txt |\
convert text:- test.gif
Assertion failed: (exception != (ExceptionInfo *) NULL), function ReadTEXTImage, file coders/txt.c, line 197.
Abort trap

Are these related to the new policy.xml security fixes?

Re: Possible security limitation IM 6.9.4.2 and 7.0.1.4 Q16 Mac OSX

Posted: 2016-05-24T04:38:18-07:00
by magick
Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

Re: Possible security limitation IM 6.9.4.2 and 7.0.1.4 Q16 Mac OSX

Posted: 2016-05-30T16:22:14-07:00
by fmw42
Still seems to be a problem using IM 6.9.4.5 Q16 and IM 7.0.1.7 Q16

Code: Select all

cat text.txt
testing

This fails:

Code: Select all

convert text.txt text.gif
convert: improper image header `text.txt' @ error/txt.c/ReadTXTImage/443.
convert: no images defined `text.gif' @ error/convert.c/ConvertImageCommand/3257.



This works:

Code: Select all

cat text.txt |\
convert text:- text.gif

Re: Possible security limitation IM 6.9.4.2 and 7.0.1.4 Q16 Mac OSX

Posted: 2016-05-31T03:44:08-07:00
by magick
Try
  • convert text:text.txt text.gif
The change was part of our review of ImageMagick to make it more secure. The MVG, MSL, and text coders now must be explicit (e.g. mvg:image.mvg).

Re: Possible security limitation IM 6.9.4.2 and 7.0.1.4 Q16 Mac OSX

Posted: 2016-05-31T09:27:30-07:00
by fmw42
Just to be clear, my error was about

Code: Select all

convert text.txt text.gif
Not

Code: Select all

convert text:text.txt text.gif
So I had no colon :

Is reading a simple text file textfile.txt as input considered the equivalent of text:textfile.txt

Re: Possible security limitation IM 6.9.4.2 and 7.0.1.4 Q16 Mac OSX

Posted: 2016-05-31T09:44:32-07:00
by magick
To read a text file you need an explicit modifier (text:input.txt). Otherwise ImageMagick assumes its pixels in the TXT format, e.g. convert logo: logo.txt.

Re: Possible security limitation IM 6.9.4.2 and 7.0.1.4 Q16 Mac OSX

Posted: 2016-05-31T09:58:33-07:00
by fmw42
Thanks. But this works,

Code: Select all

im6937 convert text.txt text.gif
So do I assume that for the new security issues, one can no longer do that directly and now must add the text: (with colon prefix)

Code: Select all

convert text:text.txt text.gif

Re: Possible security limitation IM 6.9.4.2 and 7.0.1.4 Q16 Mac OSX

Posted: 2016-05-31T16:24:55-07:00
by magick
Correct.