Summary
The dot, figlet and cowsay remarkup rules are implemented in a way that creates a security risk, and a low-severity (but highly practical) attack has been developed against dot.
The figlet and cowsay rules have been reimplemented safely.
The dot rule can not easily be reimplemented safely and has been removed.
Installs are encouraged to upgrade Phabricator or uninstall dot (Graphviz). Uninstalling dot will defuse the known attack. Upgrading Phabricator will defuse this class of attack.
Installs that rely on the dot rule may install it as an extension. This does not mitigate or defuse the risks. If you do this, you are making your install vulnerable.
Installs with custom Figlet fonts or cows may need to adjust how they are installed (see below).
Details
Phabricator currently ships with three "interpreter" rules in Remarkup: dot (Graphviz), figlet, and cowsay. These rules are invoked like this:
cowsay {{{ Moo! }}}
These rules are implemented by executing arbitrary binaries on the system. This approach is inherently risky, because executing unsandboxed binaries exposes a huge amount of surface area to attackers. The rules are as safe as possible, given the approach: they are careful about argument handling, the binaries normally need to be explicitly installed by an administrator, and these binaries seemed unlikely to permit arbitrary code execution. But this approach still harbors substantial risk.
A security researcher recently found a practical attack against the dot interpreter which allows an attacker to disclose information about a system and potentially render images on the system into graphs. Although this attack is not especially severe, there is no way to prevent it or other similar attacks (which might be far more severe) under the "execute arbitrary unsandboxed binaries" approach these rules currently employ. You can read the details of the report here once it is disclosed:
https://hackerone.com/reports/88395
In response, we are removing all rules of this type from the upstream: empirically, the risks presented by this approach are too great. The figlet and cowsay rules are simple parsers and could be safely rewritten, but the dot rule is complex. We do not have a safe alternative to the dot rule at this time, and do not have immediate plans to provide one.
Upgrading: Figlet
The figlet rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the figlet binary to be installed.
If you have custom .flf fonts, drop them into phabricator/resources/figlet/custom/ to make them available.
Upgrading: Cowsay
The cowsay rule has been rewritten to only execute trusted code. It is now available on all systems without requiring the cowsay binary to be installed.
If you have custom .cow cows, drop them into phabricator/resources/cows/custom/ to make them available.
Upgrading: dot/Graphviz
This rule has been removed, because we can not easily rewrite it to execute only trusted code or otherwise make it safe.
If you rely on this rule, you may install it as an extension by dropping this file into phabricator/src/extensions/: P1853