[Pkg-gmagick-im-team] Bug#823542: Bug#823542: imagemagick-common: please mitigate CVE-2016-3714, remote arbitrary code execution during handling of delegates

Bastien Roucaries roucaries.bastien at gmail.com
Fri May 6 12:00:50 UTC 2016



Le 5 mai 2016 22:04:13 GMT+02:00, Simon McVittie <smcv at debian.org> a écrit :
>Package: imagemagick-common
>Version: 8:6.8.9.9-7+b2
>Severity: grave
>Tags: security
>Justification: user security hole
>
>I'm sure you're already aware of
><https://security-tracker.debian.org/tracker/CVE-2016-3714>, the most
>serious
>of the recent batch of ImageMagick vulnerabilities published at
><https://imagetragick.com/>.
>
>There does not seem to be a full upstream fix yet, but it seems the
>vulnerabilities can be mitigated by altering the policy.xml file in
>imagemagick-common. The cost of this mitigation is that some obscure
>file formats, and some features that perhaps shouldn't have been
>implemented in the first place, are disabled.


I think so. Will try to Cook something this week end. If not (i am just  thé father of a newborn) feel free to NMU
>Regards,
>    S
>
>-- Package-specific info:
>ImageMagick program version
>---------------------------
>animate:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>compare:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>convert:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>composite:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>conjure:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>display:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>identify:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>import:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>mogrify:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>montage:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>stream:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08
>http://www.imagemagick.org
>
>-- System Information:
>Debian Release: stretch/sid
>  APT prefers unstable
>APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
>'experimental')
>Architecture: amd64 (x86_64)
>Foreign Architectures: i386
>
>Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
>Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
>Shell: /bin/sh linked to /bin/dash
>Init: systemd (via /run/systemd/system)
>
>Versions of packages imagemagick depends on:
>ii  imagemagick-6.q16  8:6.8.9.9-7+b2
>
>imagemagick recommends no packages.
>
>imagemagick suggests no packages.
>
>-- no debconf information
>
>_______________________________________________
>Pkg-gmagick-im-team mailing list
>Pkg-gmagick-im-team at lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gmagick-im-team

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.



More information about the Pkg-gmagick-im-team mailing list