Operating System:

[Debian]

Published:

17 May 2016

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2016.1223 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1223
                        imagemagick security update
                                17 May 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           imagemagick
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-3718 CVE-2016-3717 CVE-2016-3716
                   CVE-2016-3715 CVE-2016-3714 

Reference:         ASB-2016.0050
                   ESB-2016.1161
                   ESB-2016.1121

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3580

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3580-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
May 16, 2016                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 
                 CVE-2016-3718
Debian Bug     : 823542

Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered
several vulnerabilities in ImageMagick, a program suite for image
manipulation. These vulnerabilities, collectively known as ImageTragick,
are the consequence of lack of sanitization of untrusted input. An
attacker with control on the image input could, with the privileges of
the user running the application, execute code (CVE-2016-3714), make HTTP
GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move
(CVE-2016-3716), or read (CVE-2016-3717) local files.

These vulnerabilities are particularly critical if Imagemagick processes
images coming from remote parties, such as part of a web service.

The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and
PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In
addition, we introduce extra preventions, including some sanitization for
input filenames in http/https delegates, the full remotion of PLT/Gnuplot
decoder, and the need of explicit reference in the filename for the
insecure coders.

For the stable distribution (jessie), these problems have been fixed in
version 8:6.8.9.9-5+deb8u2.

We recommend that you upgrade your imagemagick packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXOeIaAAoJEG7C3vaP/jd0ROMP/2Twg466ucZVRzucPlyGQv+e
eyu80GMnB9UlRIXrrpAoVKr7F+FnwnZiMtzqLXuoRIms4+pESBRMVu7YXMRMWupi
Nj0DaZClL07cBm4RDF+Nzr/UK4XCWFTeHxDKBBD684ddfIL6PeJoKzRd13Yt4/9Y
14oijuDSCGSjSM761UMYh1y6Gnr47zx93t6TzomGFpcnp8KVMJeEWnnWere7QNFk
xxwdDQhnQXWHwQP8h4WvS9/z+tRzQ80cmBzmcAZDgZ4ApllUyxHiv5OqBaRSP6aD
C0k8UedOBUTTq6TGQCCmsM/JOE2o3LAzlbbEMWY3C2a9DxJ+H9gpQ6RHqZcFSE4A
fs5jeJkviUB2R9M6tPLAlBBDmiEyGYfgVjUiEq/Rq1pWKU6RCDxnjbd8Uu3Cv0IV
QRIqfPuL8KUN/X0PjXvJGZXIsN3xyOCW22grQEsyldUyLe4UivHNhFdKp6zb3cyo
YyCC+mmDOVl7SwJa2swztOHSPZ7xlv2o4tMuvGVIP9x6mmTD8X6nJlY1g7SqSEZf
CELrEE9B8YDIbd8fhiKzFgsh5Rjae0+MQW3g6bA8gtCc5iwoAl67g+bUBPwPhaIs
riOWsAjPFoYyzsMeMLJpEpe7rFzLOWutfv4Vi3f0F+QgIpq89e4X0HlSTsCrjrAl
s+4kgn+3ifTDFT2joBj7
=atw/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVzqMx36ZAP0PgtI9AQJF0hAAuPHYJAWT8FyBemDlxV7sP4MPgWECLsQh
O2Qu8PNnmZwsNpVRN2r7daKpar+xJ9GlYJnb8DOSmPrMv8dtYrgilnYBix/JDMWC
lK9gyBxCmArleHpc5Yj+Q1F5SJnro/bswZmc5h8m1XxLdB+gbKFkBNchJmXIbDR7
aOaZ+8J/HWx9e2VGkifvgcmiNrmInEartKXv4skWabkfWb1gArrdL+uEfNL4lGs3
El9cY8FHLFiD7CItvs22utZbHlZCB8+mZNDMKN1e6IO3PYeJsRF+zYkswxCw+pN1
9u6oBfU8ioo316Pi8ATrkwmdZ6U5hHyzbSj2rabbArN4nWaFpEowoXLjFTYSkTb0
DBprEhyTUEtHzHqA2qriidSf/SsGC6Y7UpXCnNzuRnrTYyhXTo+ZN9l0Rie599Xh
HAJyKOukzDPR364Tv72ON36GW3rNILDcgX1gxV+HNjuLnvwccOn5FKOb31DphbB5
NmwbdQOu0+wxjAaROPNFJHsML3JoTYtG8HawxaoU/UvrmfloV0Bv141CjgU4RKuT
9y1PVLAnR9ZRX/LOsy9upRVp/IuP7V0fWjJ5CWraZ3CX5UiU5gQtwHrfKVAkBr+u
G4eLcoTna2MjTadhvnh8X9YVzSjtPklzBFwvyykGUgamRCEDORfsILoKc/K7hp4y
VxhqIcniylc=
=qIPC
-----END PGP SIGNATURE-----