[Pkg-gmagick-im-team] Bug#823542: imagemagick-common: please mitigate CVE-2016-3714, remote arbitrary code execution during handling of delegates
Simon McVittie
smcv at debian.org
Thu May 5 20:04:13 UTC 2016
Package: imagemagick-common
Version: 8:6.8.9.9-7+b2
Severity: grave
Tags: security
Justification: user security hole
I'm sure you're already aware of
<https://security-tracker.debian.org/tracker/CVE-2016-3714>, the most serious
of the recent batch of ImageMagick vulnerabilities published at
<https://imagetragick.com/>.
There does not seem to be a full upstream fix yet, but it seems the
vulnerabilities can be mitigated by altering the policy.xml file in
imagemagick-common. The cost of this mitigation is that some obscure
file formats, and some features that perhaps shouldn't have been
implemented in the first place, are disabled.
Regards,
S
-- Package-specific info:
ImageMagick program version
---------------------------
animate: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
compare: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
convert: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
composite: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
conjure: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
display: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
identify: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
import: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
mogrify: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
montage: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
stream: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages imagemagick depends on:
ii imagemagick-6.q16 8:6.8.9.9-7+b2
imagemagick recommends no packages.
imagemagick suggests no packages.
-- no debconf information
More information about the Pkg-gmagick-im-team
mailing list