Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0003
graphicsmagick security update
3 January 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: graphicsmagick
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-9830 CVE-2016-8684 CVE-2016-8683
CVE-2016-8682 CVE-2016-7997 CVE-2016-7996
CVE-2016-7800 CVE-2016-5240 CVE-2016-5118
CVE-2016-3715 CVE-2016-3714 CVE-2016-2318
CVE-2016-2317 CVE-2015-8808
Reference: ASB-2016.0050
ESB-2016.2847
ESB-2016.1705
ESB-2016.1161
ESB-2016.1121
Original Bulletin:
http://www.debian.org/security/2016/dsa-3746
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3746-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
December 24, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : graphicsmagick
CVE ID : CVE-2015-8808 CVE-2016-2317 CVE-2016-2318 CVE-2016-3714
CVE-2016-3715 CVE-2016-5118 CVE-2016-5240 CVE-2016-7800
CVE-2016-7996 CVE-2016-7997 CVE-2016-8682 CVE-2016-8683
CVE-2016-8684 CVE-2016-9830
Debian Bug : 814732 825800 847055
Several vulnerabilities have been discovered in GraphicsMagick, a
collection of image processing tool, which can cause denial of service
attacks, remote file deletion, and remote command execution.
This security update removes the full support of PLT/Gnuplot decoder to
prevent Gnuplot-shell based shell exploits for fixing the CVE-2016-3714
vulnerability.
The undocumented "TMP" magick prefix no longer removes the argument file
after it has been read for fixing the CVE-2016-3715 vulnerability. Since
the "TMP" feature was originally implemented, GraphicsMagick added a
temporary file management subsystem which assures that temporary files
are removed so this feature is not needed.
Remove support for reading input from a shell command, or writing output
to a shell command, by prefixing the specified filename (containing the
command) with a '|' for fixing the CVE-2016-5118 vulnerability.
CVE-2015-8808
Gustavo Grieco discovered an out of bound read in the parsing of GIF
files which may cause denial of service.
CVE-2016-2317
Gustavo Grieco discovered a stack buffer overflow and two heap buffer
overflows while processing SVG images which may cause denial of service.
CVE-2016-2318
Gustavo Grieco discovered several segmentation faults while processing
SVG images which may cause denial of service.
CVE-2016-5240
Gustavo Grieco discovered an endless loop problem caused by negative
stroke-dasharray arguments while parsing SVG files which may cause
denial of service.
CVE-2016-7800
Marco Grassi discovered an unsigned underflow leading to heap overflow
when parsing 8BIM chunk often attached to JPG files which may cause
denial of service.
CVE-2016-7996
Moshe Kaplan discovered that there is no check that the provided
colormap is not larger than 256 entries in the WPG reader which may
cause denial of service.
CVE-2016-7997
Moshe Kaplan discovered that an assertion is thrown for some files in
the WPG reader due to a logic error which may cause denial of service.
CVE-2016-8682
Agostino Sarubbo of Gentoo discovered a stack buffer read overflow
while reading the SCT header which may cause denial of service.
CVE-2016-8683
Agostino Sarubbo of Gentoo discovered a memory allocation failure in the
PCX coder which may cause denial of service.
CVE-2016-8684
Agostino Sarubbo of Gentoo discovered a memory allocation failure in the
SGI coder which may cause denial of service.
CVE-2016-9830
Agostino Sarubbo of Gentoo discovered a memory allocation failure in
MagickRealloc() function which may cause denial of service.
For the stable distribution (jessie), these problems have been fixed in
version 1.3.20-3+deb8u2.
For the testing distribution (stretch), these problems (with the
exception of CVE-2016-9830) have been fixed in version 1.3.25-5.
For the unstable distribution (sid), these problems have been fixed in
version 1.3.25-6.
We recommend that you upgrade your graphicsmagick packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYXuf9AAoJEG7C3vaP/jd0JS0QAJtZ3X5JmbUeyK9r+355Ujfd
bm9yJxXgqN3gYAfUb2MS27/yk+2yXa4CFTI9fdTfU91LCn7So4nO4QNsuY+73tMf
aDTE8f02dXbb6dCUuRRKZj/o97N+08Sp19CKuSX4QEMamGTJxT2uwWQ4nZQZHXAT
4k3bykdFr35TPEwdhfWSj+a2bjOY1HzBfglCVObdwZUU1iQ2lpVmMXFqDO9Bz0w9
IQCIzkLqdfZYca2MyZrFROeAz/GnlXc7MG05lCV+BLMWzaZbONkZYjHmGWfMWsuZ
FhCMjvXt1Z72iMV0eF8qOwvaRff8Tfi6JGxZJUZ1FQmSWadxx+WH5H+0SbhMAIQp
NWV5md9X/p1otkTYU/lM7j18aEFLrQO6FresrZtkg3FtFgHz8O6jyrDHLb/6Wh/e
Fsv4kG2WmLc2Bjzk6+3FMeGv/vaqF+dNBeviKabvLDM6TetBCzg7P5E622vM0lNq
47IPGIFh0AmZR12pel2zDqyzyP/dxlFHGENcFvOLLvCWINXvIvyBJ2kY0b78XOzp
VnzgROgHnNv7xHceVpJNqjYl3sFvTwAgaNBaZ3AKAG1ylSHVCW6ANJ+e3bcf0pr9
F+VrJacik/27YbzOYuD9oK9TvuW2yrexh1/0x1ZONya4aqKKDobRfB+VvbThvNoW
jrajD/W+tmH+B++s6ewM
=bb+g
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWGryvIx+lLeg9Ub1AQh/DQ//R87g72mIo0AO103yMi4Tz+46dnGlHBc2
Japtr4K2h5lF+SfwISJvMxvm6KvHEM8bWwAcHuD2im1StEljMi/gTFAorofK2q0K
0o28SNIKqvdef8cLIJ8hJVTOTgLMhrS14GW7ee5jLtTabNM3RA2kaWGgH+RW+3af
ckx3jpesmEwaXfeV0MfnP/tMiS5q371dul2BBJhJ/lH4EPc5W3BMv4trLB/246+3
rX8lbgf1yTQBlJye5H9I+H9S6l48tvSBsvkNJx36Ie7BPYjALJKuVmOYGy9efsv8
ZWtSbIbFbOv6VRon19Q3x/RtDN+99Vzahk49MVyuvzL4fa9JMdXF/Q0zobIznopT
1vfdH7zpqZZJEc+RD0zDTArmgfHhr+Yc4DCjkyVfrt0ELtIt6y4y8UOtVaV95qH4
j0DBis948fd7tEWIn4jWYOs11cxg1zus5LtyHkg/14obW148TDnQrzhK4Hc28wBa
QJ+Pnq9n+1Dj2/0DSvPgyl9RBi+Tis2dLL2LdRIA7+w8VKvddUXCEWfkU9NundrP
9peodKntI75gcQGe438JiXC5d1PD9WBwcsEtS+IkCDbcy4V2uXW3irGa4JS3SzJO
KS6hCdyuT6VD4ODwUREjhNWK48Kk8DuH7VOiSNhrQ0oIDB/Gv0Jn3jLGh2rZTSQv
lTk2Awxi06I=
=wqDk
-----END PGP SIGNATURE-----