[SECURITY] [DLA 502-1] graphicsmagick security update

2016-06-0209:05:10

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.743 High

EPSS

Percentile

98.1%

JSON

Package : graphicsmagick
Version : 1.3.16-1.1+deb7u2
CVE ID : CVE-2016-5118
Debian Bug : 825800

Bob Friesenhahn discovered a command injection vulnerability in
Graphicsmagick, a program suite for image manipulation. An attacker with
control on input image or the input filename can execute arbitrary
commands with the privileges of the user running the application.

This update removes the possibility of using pipe (|) in filenames to
interact with graphicsmagick.

For Debian 7 "Wheezy", these problems have been fixed in version
1.3.16-1.1+deb7u2.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8mipslibmagick++-6.q16-dev< 8:6.8.9.9-5+deb8u3libmagick++-6.q16-dev_8:6.8.9.9-5+deb8u3_mips.deb
Debian8alllibmagickcore-6-headers< 8:6.8.9.9-5+deb8u3libmagickcore-6-headers_8:6.8.9.9-5+deb8u3_all.deb
Debian8s390xlibmagick++-6.q16-dev< 8:6.8.9.9-5+deb8u3libmagick++-6.q16-dev_8:6.8.9.9-5+deb8u3_s390x.deb
Debian8kfreebsd-i386libgraphicsmagick3< 1.3.20-3+deb8u2libgraphicsmagick3_1.3.20-3+deb8u2_kfreebsd-i386.deb
Debian8amd64libgraphics-magick-perl< 1.3.20-3+deb8u2libgraphics-magick-perl_1.3.20-3+deb8u2_amd64.deb
Debian8ppc64ellibgraphicsmagick1-dev< 1.3.20-3+deb8u2libgraphicsmagick1-dev_1.3.20-3+deb8u2_ppc64el.deb
Debian8allgraphicsmagick-libmagick-dev-compat< 1.3.20-3+deb8u2graphicsmagick-libmagick-dev-compat_1.3.20-3+deb8u2_all.deb
Debian8kfreebsd-i386libmagickcore-6.q16-2< 8:6.8.9.9-5+deb8u3libmagickcore-6.q16-2_8:6.8.9.9-5+deb8u3_kfreebsd-i386.deb
Debian7armellibmagickcore-dev< 8:6.7.7.10-5+deb7u6libmagickcore-dev_8:6.7.7.10-5+deb7u6_armel.deb
Debian8ppc64elimagemagick-6.q16< 8:6.8.9.9-5+deb8u3imagemagick-6.q16_8:6.8.9.9-5+deb8u3_ppc64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	mips	libmagick++-6.q16-dev	< 8:6.8.9.9-5+deb8u3	libmagick++-6.q16-dev_8:6.8.9.9-5+deb8u3_mips.deb
Debian	8	all	libmagickcore-6-headers	< 8:6.8.9.9-5+deb8u3	libmagickcore-6-headers_8:6.8.9.9-5+deb8u3_all.deb
Debian	8	s390x	libmagick++-6.q16-dev	< 8:6.8.9.9-5+deb8u3	libmagick++-6.q16-dev_8:6.8.9.9-5+deb8u3_s390x.deb
Debian	8	kfreebsd-i386	libgraphicsmagick3	< 1.3.20-3+deb8u2	libgraphicsmagick3_1.3.20-3+deb8u2_kfreebsd-i386.deb
Debian	8	amd64	libgraphics-magick-perl	< 1.3.20-3+deb8u2	libgraphics-magick-perl_1.3.20-3+deb8u2_amd64.deb
Debian	8	ppc64el	libgraphicsmagick1-dev	< 1.3.20-3+deb8u2	libgraphicsmagick1-dev_1.3.20-3+deb8u2_ppc64el.deb
Debian	8	all	graphicsmagick-libmagick-dev-compat	< 1.3.20-3+deb8u2	graphicsmagick-libmagick-dev-compat_1.3.20-3+deb8u2_all.deb
Debian	8	kfreebsd-i386	libmagickcore-6.q16-2	< 8:6.8.9.9-5+deb8u3	libmagickcore-6.q16-2_8:6.8.9.9-5+deb8u3_kfreebsd-i386.deb
Debian	7	armel	libmagickcore-dev	< 8:6.7.7.10-5+deb7u6	libmagickcore-dev_8:6.7.7.10-5+deb7u6_armel.deb
Debian	8	ppc64el	imagemagick-6.q16	< 8:6.8.9.9-5+deb8u3	imagemagick-6.q16_8:6.8.9.9-5+deb8u3_ppc64el.deb