Dev:Security - Revision history

Zelgadis: moved Security to Dev:Security

2010-02-21T05:56:38Z

moved Security to Dev:Security

Zelgadis: Text replace - ']]' to '}}'

2009-09-08T07:23:45Z

Text replace - ']]' to '}}'

Zelgadis: Text replace - '[[' to '{{l|'

2009-09-08T05:21:02Z

Text replace - '[[' to '{{l|'

PaulWise: format fix

2008-07-05T06:59:34Z

format fix

PaulWise: add initial bash at a security page

2008-07-05T06:58:45Z

add initial bash at a security page

New page

== Specific issues ==

=== Unix ===

Unix platforms include Linux, BSD, MacOS X, Solaris and so on.

No known issues in 0.61.08 and later, please [[Contact|report]] them if you find any.

synfig 0.61.07 and earlier are vulnerable to the issues still present in the Windows version, see below.

=== Windows ===

If you are given files from someone else and you render them using the dv, imagemagick or ffmpeg targets, they may cause synfig to run arbitrary programs (including malicious ones like formatting your hard drive). Currently the only way to avoid these issues is to not use the targets on untrusted sif/sifz files, or switch to Linux or Mac. The issues are due to the use of the popen/system calls, which run the encodedv, convert and ffmpeg command-line programs. We weren't yet able to find a way to fix the issues (patches welcome) because of the way Windows does command-line arguments - one big string parsed by the application instead of one string per command-line argument. The issues are with special chars, the alphanumeric ones and spaces/tabs should be safe. Specific issues include:

* dv, imagemagick, ffmpeg
**render output filenames with special characters
* ffmpeg only
** sif files that import filenames with special chars (only way to check is to look with a text editor before loading)
** sif files that have a document name with special chars (see Edit->Properties->Name)

These are *ONLY* an issue if you have the convert (imagemagick), encodedv (dv) or ffmpeg binaries installed and in your PATH environment variable or in the same dir as synfig.exe/synfigstudio.exe. Most people will not have them installed or will not have them in a place where they can be run. You would need to explicitly set them up for execution, unless their installers do that for you.

== General issues ==

Synfig relies on a lot of libraries and a few programs for loading the .sif XML format and for importing data. Synfig thus may provide a channel for attacking these libraries. Please ensure you keep your system up to date with security patches.

@@ Line 5: / Line 5: @@
 Unix platforms include Linux, BSD, MacOS X, Solaris and so on.
-No known issues in 0.61.08 and later, please {{l|Contact|report]] them if you find any.
+No known issues in 0.61.08 and later, please {{l|Contact|report}} them if you find any.
 synfig 0.61.07 and earlier are vulnerable to the issues still present in the Windows version, see below.

← Older revision	Revision as of 05:56, 21 February 2010
(No difference)

@@ Line 19: / Line 19: @@
 ** sif files that have a document name with special chars (see Edit->Properties->Name)
-These are *ONLY* an issue if you have the convert (imagemagick), encodedv (dv) or ffmpeg binaries installed and in your PATH environment variable or in the same dir as synfig.exe/synfigstudio.exe. Most people will not have them installed or will not have them in a place where they can be run. You would need to explicitly set them up for execution, unless their installers do that for you.
+These are '''ONLY''' an issue if you have the convert (imagemagick), encodedv (dv) or ffmpeg binaries installed and in your PATH environment variable or in the same dir as synfig.exe/synfigstudio.exe. Most people will not have them installed or will not have them in a place where they can be run. You would need to explicitly set them up for execution, unless their installers do that for you.
 == General issues ==
 Synfig relies on a lot of libraries and a few programs for loading the .sif XML format and for importing data. Synfig thus may provide a channel for attacking these libraries. Please ensure you keep your system up to date with security patches.