[SECURITY] [DLA 486-1] imagemagick security update

2016-05-2302:34:38

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

8.3

Confidence

Low

EPSS

0.974

Percentile

99.9%

JSON

Package : imagemagick
Version : 8:6.7.7.10-5+deb7u5
CVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717
CVE-2016-3718
Debian Bug : 823542

Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered
several vulnerabilities in ImageMagick, a program suite for image
manipulation. These vulnerabilities, collectively known as ImageTragick,
are the consequence of lack of sanitization of untrusted input. An
attacker with control on the image input could, with the privileges of
the user running the application, execute code (CVE-2016-3714), make
HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715),
move (CVE-2016-3716), or read (CVE-2016-3717) local files.

These vulnerabilities are particularly critical if Imagemagick processes
images coming from remote parties, such as part of a web service.

The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and
PLT) and indirect reads via /etc/ImageMagick/policy.xml file. In
addition, we introduce extra preventions, including some sanitization
for input filenames in http/https delegates, the full remotion of
PLT/Gnuplot decoder, and the need of explicit reference in the filename
for the insecure coders.

For the wheezy, these problems have been fixed in version
8:6.7.7.10-5+deb7u5.

We recommend that you upgrade your imagemagick packages.

Brian May <[email protected]>

OSVersionArchitecturePackageVersionFilename
Debian7armellibgraphicsmagick++3< 1.3.16-1.1+deb7u1libgraphicsmagick++3_1.3.16-1.1+deb7u1_armel.deb
Debian8armellibgraphicsmagick++3< 1.3.20-3+deb8u3libgraphicsmagick++3_1.3.20-3+deb8u3_armel.deb
Debian7armelgraphicsmagick< 1.3.16-1.1+deb7u1graphicsmagick_1.3.16-1.1+deb7u1_armel.deb
Debian8i386libimage-magick-q16-perl< 8:6.8.9.9-5+deb8u2libimage-magick-q16-perl_8:6.8.9.9-5+deb8u2_i386.deb
Debian8s390xlibmagickcore-6.q16-2-extra< 8:6.8.9.9-5+deb8u2libmagickcore-6.q16-2-extra_8:6.8.9.9-5+deb8u2_s390x.deb
Debian8armelgraphicsmagick< 1.3.20-3+deb8u3graphicsmagick_1.3.20-3+deb8u3_armel.deb
Debian7armellibmagick++-dev< 8:6.7.7.10-5+deb7u5libmagick++-dev_8:6.7.7.10-5+deb7u5_armel.deb
Debian8amd64imagemagick-6.q16< 8:6.8.9.9-5+deb8u2imagemagick-6.q16_8:6.8.9.9-5+deb8u2_amd64.deb
Debian7i386libmagick++-dev< 8:6.7.7.10-5+deb7u5libmagick++-dev_8:6.7.7.10-5+deb7u5_i386.deb
Debian7amd64libmagickwand-dev< 8:6.7.7.10-5+deb7u5libmagickwand-dev_8:6.7.7.10-5+deb7u5_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	armel	libgraphicsmagick++3	< 1.3.16-1.1+deb7u1	libgraphicsmagick++3_1.3.16-1.1+deb7u1_armel.deb
Debian	8	armel	libgraphicsmagick++3	< 1.3.20-3+deb8u3	libgraphicsmagick++3_1.3.20-3+deb8u3_armel.deb
Debian	7	armel	graphicsmagick	< 1.3.16-1.1+deb7u1	graphicsmagick_1.3.16-1.1+deb7u1_armel.deb
Debian	8	i386	libimage-magick-q16-perl	< 8:6.8.9.9-5+deb8u2	libimage-magick-q16-perl_8:6.8.9.9-5+deb8u2_i386.deb
Debian	8	s390x	libmagickcore-6.q16-2-extra	< 8:6.8.9.9-5+deb8u2	libmagickcore-6.q16-2-extra_8:6.8.9.9-5+deb8u2_s390x.deb
Debian	8	armel	graphicsmagick	< 1.3.20-3+deb8u3	graphicsmagick_1.3.20-3+deb8u3_armel.deb
Debian	7	armel	libmagick++-dev	< 8:6.7.7.10-5+deb7u5	libmagick++-dev_8:6.7.7.10-5+deb7u5_armel.deb
Debian	8	amd64	imagemagick-6.q16	< 8:6.8.9.9-5+deb8u2	imagemagick-6.q16_8:6.8.9.9-5+deb8u2_amd64.deb
Debian	7	i386	libmagick++-dev	< 8:6.7.7.10-5+deb7u5	libmagick++-dev_8:6.7.7.10-5+deb7u5_i386.deb
Debian	7	amd64	libmagickwand-dev	< 8:6.7.7.10-5+deb7u5	libmagickwand-dev_8:6.7.7.10-5+deb7u5_amd64.deb