8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
6.8.4.10-alt3.M70P.1 built May 20, 2016 Andrey Cherepanov in task #164801
May 18, 2016 Andrey Cherepanov
- Apply security patches from Debian:
ImageTragick: The coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT,
SHOW, WIN, and PLT are disabled via policy.xml file, since they are
vulnerable to code injection. This mitigates CVE-2016-3714,
CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, and CVE-2016-3718.
Since ImageMagick reverts to its internal SVG renderer (which uses
MVG coder) if Inkscape or RSVG is not used, the option --with-rsvg
is included. Closes: 823542. In addition, some other actions were
taken with respect to these vulnerabilities:
- Drop the PLT/Gnuplot decoder, which was vulnerable to command
injection.
- Some sanitization for input filenames in http/https delegates is
added.
- Indirect filename are now authorized by policy.
- Indirect reads with label:@ are prevented.
- Less secure coders (such as MVG, TEXT, and MSL) require explicit
reference in the filename (e.g. mvg:my-graph.mvg).
8.4 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C