1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3580-1] imagemagick security update

    From Luciano Bello@1:229/2 to All on Mon May 16 19:40:01 2016
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3580-1 [email protected] https://www.debian.org/security/ Luciano Bello
    May 16, 2016 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : imagemagick
    CVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717
    CVE-2016-3718
    Debian Bug : 823542

    Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered
    several vulnerabilities in ImageMagick, a program suite for image
    manipulation. These vulnerabilities, collectively known as ImageTragick,
    are the consequence of lack of sanitization of untrusted input. An
    attacker with control on the image input could, with the privileges of
    the user running the application, execute code (CVE-2016-3714), make HTTP
    GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move (CVE-2016-3716), or read (CVE-2016-3717) local files.

    These vulnerabilities are particularly critical if Imagemagick processes
    images coming from remote parties, such as part of a web service.

    The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and
    PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In
    addition, we introduce extra preventions, including some sanitization for
    input filenames in http/https delegates, the full remotion of PLT/Gnuplot decoder, and the need of explicit reference in the filename for the
    insecure coders.

    For the stable distribution (jessie), these problems have been fixed in
    version 8:6.8.9.9-5+deb8u2.

    We recommend that you upgrade your imagemagick packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCAAGBQJXOeIaAAoJEG7C3vaP/jd0ROMP/2Twg466ucZVRzucPlyGQv+e eyu80GMnB9UlRIXrrpAoVKr7F+FnwnZiMtzqLXuoRIms4+pESBRMVu7YXMRMWupi Nj0DaZClL07cBm4RDF+Nzr/UK4XCWFTeHxDKBBD684ddfIL6PeJoKzRd13Yt4/9Y 14oijuDSCGSjSM761UMYh1y6Gnr47zx93t6TzomGFpcnp8KVMJeEWnnWere7QNFk xxwdDQhnQXWHwQP8h4WvS9/z+tRzQ80cmBzmcAZDgZ4ApllUyxHiv5OqBaRSP6aD C0k8UedOBUTTq6TGQCCmsM/JOE2o3LAzlbbEMWY3C2a9DxJ+H9gpQ6RHqZcFSE4A fs5jeJkviUB2R9M6tPLAlBBDmiEyGYfgVjUiEq/Rq1pWKU6RCDxnjbd8Uu3Cv0IV QRIqfPuL8KUN/X0PjXvJGZXIsN3xyOCW22grQEsyldUyLe4UivHNhFdKp6zb3cyo YyCC+mmDOVl7SwJa2swztOHSPZ7xlv2o4tMuvGVIP9x6mmTD8X6nJlY1g7SqSEZf CELrEE9B8YDIbd8fhiKzFgsh5Rjae0+MQW3g6bA8gtCc5iwoAl67g+bUBPwPhaIs riOWsAjPFoYyzsMeMLJpEpe7rFzLOWutfv4Vi3f0F+QgIpq89e4X0HlSTsCrjrAl s+4kgn+3ifTDFT2joBj7
    =atw/
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)