Bug#823542: imagemagick-common: please mitigate CVE-2016-3714, remote arbitrary code execution during handling of delegates

Thu, 05 May 2016 13:09:53 -0700 

Package: imagemagick-common
Version: 8:6.8.9.9-7+b2
Severity: grave
Tags: security
Justification: user security hole

I'm sure you're already aware of
<https://security-tracker.debian.org/tracker/CVE-2016-3714>, the most serious
of the recent batch of ImageMagick vulnerabilities published at
<https://imagetragick.com/>.

There does not seem to be a full upstream fix yet, but it seems the
vulnerabilities can be mitigated by altering the policy.xml file in
imagemagick-common. The cost of this mitigation is that some obscure
file formats, and some features that perhaps shouldn't have been
implemented in the first place, are disabled.

Regards,
    S

-- Package-specific info:
ImageMagick program version
---------------------------
animate:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
compare:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
convert:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
composite:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
conjure:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
display:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
identify:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
import:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
mogrify:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
montage:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
stream:  ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages imagemagick depends on:
ii  imagemagick-6.q16  8:6.8.9.9-7+b2

imagemagick recommends no packages.

imagemagick suggests no packages.

-- no debconf information

Reply via email to