[SECURITY] [DSA 3591-1] imagemagick security update

2016-06-0110:39:38

lists.debian.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

Debian Security Advisory DSA-3591-1 [email protected]
https://www.debian.org/security/ Luciano Bello
June 01, 2016 https://www.debian.org/security/faq

Package : imagemagick
CVE ID : CVE-2016-5118
Debian Bug : 825799

Bob Friesenhahn from the GraphicsMagick project discovered a command
injection vulnerability in ImageMagick, a program suite for image
manipulation. An attacker with control on input image or the input
filename can execute arbitrary commands with the privileges of the user
running the application.

This update removes the possibility of using pipe (|) in filenames to
interact with imagemagick.

It is important that you upgrade the libmagickcore-6.q16-2 and not just
the imagemagick package. Applications using libmagickcore-6.q16-2 might
also be affected and need to be restarted after the upgrade.

For the stable distribution (jessie), this problem has been fixed in
version 6.8.9.9-5+deb8u3.

We recommend that you upgrade your imagemagick packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7i386libgraphicsmagick++3< 1.3.16-1.1+deb7u2libgraphicsmagick++3_1.3.16-1.1+deb7u2_i386.deb
Debian8mipsellibmagickwand-6.q16-2< 6.8.9.9-5+deb8u3libmagickwand-6.q16-2_6.8.9.9-5+deb8u3_mipsel.deb
Debian7amd64libmagickwand5< 6.7.7.10-5+deb7u6libmagickwand5_6.7.7.10-5+deb7u6_amd64.deb
Debian8mipslibmagickwand-6.q16-dev< 6.8.9.9-5+deb8u3libmagickwand-6.q16-dev_6.8.9.9-5+deb8u3_mips.deb
Debian8amd64libmagickcore-6-arch-config< 6.8.9.9-5+deb8u3libmagickcore-6-arch-config_6.8.9.9-5+deb8u3_amd64.deb
Debian7armelimagemagick-dbg< 6.7.7.10-5+deb7u6imagemagick-dbg_6.7.7.10-5+deb7u6_armel.deb
Debian8armellibmagickwand-6.q16-dev< 6.8.9.9-5+deb8u3libmagickwand-6.q16-dev_6.8.9.9-5+deb8u3_armel.deb
Debian8powerpclibmagickwand-6.q16-2< 6.8.9.9-5+deb8u3libmagickwand-6.q16-2_6.8.9.9-5+deb8u3_powerpc.deb
Debian7armellibmagick++-dev< 6.7.7.10-5+deb7u6libmagick++-dev_6.7.7.10-5+deb7u6_armel.deb
Debian8armelimagemagick-dbg< 6.8.9.9-5+deb8u3imagemagick-dbg_6.8.9.9-5+deb8u3_armel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	i386	libgraphicsmagick++3	< 1.3.16-1.1+deb7u2	libgraphicsmagick++3_1.3.16-1.1+deb7u2_i386.deb
Debian	8	mipsel	libmagickwand-6.q16-2	< 6.8.9.9-5+deb8u3	libmagickwand-6.q16-2_6.8.9.9-5+deb8u3_mipsel.deb
Debian	7	amd64	libmagickwand5	< 6.7.7.10-5+deb7u6	libmagickwand5_6.7.7.10-5+deb7u6_amd64.deb
Debian	8	mips	libmagickwand-6.q16-dev	< 6.8.9.9-5+deb8u3	libmagickwand-6.q16-dev_6.8.9.9-5+deb8u3_mips.deb
Debian	8	amd64	libmagickcore-6-arch-config	< 6.8.9.9-5+deb8u3	libmagickcore-6-arch-config_6.8.9.9-5+deb8u3_amd64.deb
Debian	7	armel	imagemagick-dbg	< 6.7.7.10-5+deb7u6	imagemagick-dbg_6.7.7.10-5+deb7u6_armel.deb
Debian	8	armel	libmagickwand-6.q16-dev	< 6.8.9.9-5+deb8u3	libmagickwand-6.q16-dev_6.8.9.9-5+deb8u3_armel.deb
Debian	8	powerpc	libmagickwand-6.q16-2	< 6.8.9.9-5+deb8u3	libmagickwand-6.q16-2_6.8.9.9-5+deb8u3_powerpc.deb
Debian	7	armel	libmagick++-dev	< 6.7.7.10-5+deb7u6	libmagick++-dev_6.7.7.10-5+deb7u6_armel.deb
Debian	8	armel	imagemagick-dbg	< 6.8.9.9-5+deb8u3	imagemagick-dbg_6.8.9.9-5+deb8u3_armel.deb