[SECURITY] [DLA 486-1] imagemagick security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 486-1] imagemagick security update
From: Brian May <bam@debian.org>
Date: Mon, 23 May 2016 12:34:38 +1000
Message-id: <[🔎] 20160523023438.GA13796@prune.linuxpenguins.xyz>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : imagemagick
Version        : 8:6.7.7.10-5+deb7u5
CVE ID         : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 
                 CVE-2016-3718
Debian Bug     : 823542

Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered
several vulnerabilities in ImageMagick, a program suite for image
manipulation. These vulnerabilities, collectively known as ImageTragick,
are the consequence of lack of sanitization of untrusted input. An
attacker with control on the image input could, with the privileges of
the user running the application, execute code (CVE-2016-3714), make
HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715),
move (CVE-2016-3716), or read (CVE-2016-3717) local files.

These vulnerabilities are particularly critical if Imagemagick processes
images coming from remote parties, such as part of a web service.

The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and
PLT) and indirect reads via /etc/ImageMagick/policy.xml file. In
addition, we introduce extra preventions, including some sanitization
for input filenames in http/https delegates, the full remotion of
PLT/Gnuplot decoder, and the need of explicit reference in the filename
for the insecure coders.

For the wheezy, these problems have been fixed in version
8:6.7.7.10-5+deb7u5.

We recommend that you upgrade your imagemagick packages.
- -- 
Brian May <bam@debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXQmw+AAoJEBeEV3+BH26sxP4QAJiKo1faTc2UFYLmrgDB02ai
g0SvPT1oZRDy2CANoTTfZG4fwLk4AEkot/JPSbkR3yzefWC106ouonG/rvWqBCel
0kXgV2puxYU7e/jzqf84qyxoZWQp1wfWJoaq4guorSe6uD3XO3hpCoYCcFCBa//B
/AYja1JzsEQbygX/N1WFOpG4v9SIuMqGC8tL4IyYD4rVFkbx/rGomJ/lOTnLdyqI
yOQXNXY015apMtYPLJDSbB2zOr0VdBos+EnC6eiQp4dOKYhm5WtHpc/pluCfXy2o
27vEFy4XrD5JlpwDOOxUKpukN2LUF42g4urfMJm7LvPRIce9df0Uhykf9NL5CMK0
cSoUuzvy1u3Rge0/rALYJ2qryoInpgr4lGDvZ0K1tfoOiEQxKKG/Tl0oqG+M9H2f
sk0XqEhDVmj9ZbYxzWHvOwjNaaAi+Hspf93XmVPZM3FK88rz+u8bMFwfvPbL+Wqc
T0HzmZNSNQQFuO0fJqcvy50slPHxWSW4CNMepc7y6MxYohvLYiyWJele52bud/yG
Bf16QbDAbig0dLQyEsfVYEvKuFz8s1E6eRCjkppCf9TE/6tIipT4xEaTR+u33s25
ewkXOr9sEmgyfu5nVOeTnctMadaO7iPBRPNk0PvwruJzRGzLegMi9bhIeJeknerH
+yqe+m0dBYJZGuP3hW5k
=5LBO
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 485-1] extplorer security update
Next by Date: [SECURITY] [DLA 488-1] xymon security update
Previous by thread: [SECURITY] [DLA 485-1] extplorer security update
Next by thread: [SECURITY] [DLA 488-1] xymon security update
Index(es):
- Date
- Thread