Bug 18347 - imagemagick new security Issues CVE-2016-371[4-8]
Summary: imagemagick new security Issues CVE-2016-371[4-8]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/686574/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-05-03 20:57 CEST by Marja Van Waes
Modified: 2016-06-04 23:06 CEST (History)
5 users (show)

See Also:
Source RPM: imagemagick-6.9.3.9-1.mga6, imagemagick-6.8.9.9-4.2.mga5
CVE:
Status comment:


Attachments

Description Marja Van Waes 2016-05-03 20:57:11 CEST
Imagemagick has recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system.

How to prevent possible exploits is explained here:
https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Fixed ImageMagick 7.0.1-1 and 6.9.3-10 will be available by this weekend
Comment 1 David Walser 2016-05-04 13:56:00 CEST
Indeed, we should update to 6.9.3-10 when available.

Much more details on this, including PoC's, in this thread:
http://openwall.com/lists/oss-security/2016/05/03/13

Most of them are in this message:
http://openwall.com/lists/oss-security/2016/05/03/18

Whiteboard: (none) => MGA5TOO

Comment 2 David Walser 2016-05-04 19:01:01 CEST
6.9.3-10 is building now in Cauldron.  We should update Mageia 5 to it as well.

Version: Cauldron => 5
Summary: ImageMagick Security Issue => imagemagick new security Issues CVE-2016-371[4-8]
Whiteboard: MGA5TOO => (none)

David Walser 2016-05-07 00:03:57 CEST

URL: (none) => http://lwn.net/Vulnerabilities/686574/
CC: (none) => luigiwalser

Comment 3 claire robinson 2016-05-07 20:16:54 CEST
Shlomi can we increase priority of this one please. It's a serious issue which has received alot of press attention.

CC: (none) => eeeemail

Comment 4 David Walser 2016-05-10 00:35:02 CEST
LWN reference for the rest of the CVEs:
http://lwn.net/Vulnerabilities/686761/
Comment 5 David Walser 2016-05-11 17:57:49 CEST
Info about some more minor issues fixed in 6.9.4-1:
http://openwall.com/lists/oss-security/2016/05/11/3
Comment 6 Shlomi Fish 2016-05-16 18:35:35 CEST
Hi all!

imagemagick-6.9.4.1-0.1.mga5 is build right now on http://pkgsubmit.mageia.org/ . I tested "convert" from a JPEG to a PNG. Sorry it took me so long and please let me know if my changes are acceptable.
Comment 7 David Walser 2016-05-17 21:53:22 CEST
I've updated Cauldron to 6.9.4-2.  It fixes a regression, and the delegate-related fixes appear security-related from the commit log:
http://git.imagemagick.org/repos/ImageMagick/blob/dce8f08c7bf7a92c451f45a684ca96434684a69e/ChangeLog
http://git.imagemagick.org/repos/ImageMagick/commits/ImageMagick-6

We should probably bump the Mageia 5 build to 6.9.4-2 as well.
Comment 8 David Walser 2016-05-17 21:54:00 CEST
Also, ruby-rmagick in Mageia 5 will need to be rebuilt.  I don't see any reason for it to have a strict requires on a specific imagemagick version, so I removed that in Cauldron.
Comment 9 Shlomi Fish 2016-05-18 14:45:50 CEST
(In reply to David Walser from comment #7)
> I've updated Cauldron to 6.9.4-2.  It fixes a regression, and the
> delegate-related fixes appear security-related from the commit log:
> http://git.imagemagick.org/repos/ImageMagick/blob/
> dce8f08c7bf7a92c451f45a684ca96434684a69e/ChangeLog
> http://git.imagemagick.org/repos/ImageMagick/commits/ImageMagick-6
> 
> We should probably bump the Mageia 5 build to 6.9.4-2 as well.

Thanks! imagemagick-6.9.4.2-0.1.mga5 was not build for core/updates_testing of mga5.
Comment 10 claire robinson 2016-05-18 15:46:09 CEST
Should be -1.mga5 without subrel IINM Shlomi. David will know better.
Comment 11 David Walser 2016-05-18 15:55:59 CEST
Not that it's a big issue, but yes, Claire is correct.  There should be no subrel and it should be release 1.
Comment 12 David Walser 2016-05-18 23:15:39 CEST
See PoC information in Comment 1.

Advisory:
========================

Updated imagemagick packages fix security vulnerabilities:

It was discovered that ImageMagick did not properly sanitize certain input
before passing it to the delegate functionality. A remote attacker could create
a specially crafted image that, when processed by an application using
ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead
to arbitrary execution of shell commands with the privileges of the user
running the application (CVE-2016-3714).

It was discovered that certain ImageMagick coders and pseudo-protocols did not
properly prevent security sensitive operations when processing specially
crafted images. A remote attacker could create a specially crafted image that,
when processed by an application using ImageMagick or an unsuspecting user
using the ImageMagick utilities, would allow the attacker to delete, move, or
disclose the contents of arbitrary files (CVE-2016-3715, CVE-2016-3716,
CVE-2016-3717).

A server-side request forgery flaw was discovered in the way ImageMagick
processed certain images. A remote attacker could exploit this flaw to mislead
an application using ImageMagick or an unsuspecting user using the ImageMagick
utilities into, for example, performing HTTP(S) requests or opening FTP
sessions via specially crafted images (CVE-2016-3718).

The imagemagick package has been updated to version 6.9.4-2 to fix these
issues and several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3717
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3718
http://git.imagemagick.org/repos/ImageMagick/blob/dce8f08c7bf7a92c451f45a684ca96434684a69e/ChangeLog
https://rhn.redhat.com/errata/RHSA-2016-0726.html
========================

Updated packages in core/updates_testing:
========================
imagemagick-6.9.4.2-0.1.mga5
imagemagick-desktop-6.9.4.2-0.1.mga5
libmagick-6Q16_2-6.9.4.2-0.1.mga5
libmagick++-6Q16_6-6.9.4.2-0.1.mga5
libmagick-devel-6.9.4.2-0.1.mga5
perl-Image-Magick-6.9.4.2-0.1.mga5
imagemagick-doc-6.9.4.2-0.1.mga5
ruby-rmagick-2.13.2-21.1.mga5
ruby-rmagick-doc-2.13.2-21.1.mga5

from SRPMS:
imagemagick-6.9.4.2-0.1.mga5.src.rpm
ruby-rmagick-2.13.2-21.1.mga5.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

claire robinson 2016-05-19 00:51:03 CEST

CC: eeeemail => (none)

Comment 13 David Walser 2016-05-19 16:13:19 CEST
Before the update, I confirmed the PoC's work as described from:
http://seclists.org/oss-sec/2016/q2/205

After the update on both Mageia 5 i586 and x86_64, I confirmed the PoC's no longer work.

Whiteboard: (none) => has_procedure MGA5-32-OK MGA5-64-OK

Comment 14 Lewis Smith 2016-05-19 20:46:09 CEST
Once again, thanks David for your sterling tests.
Validating the update, Advisory to follow.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Dave Hodgins 2016-05-20 11:26:06 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 15 Mageia Robot 2016-05-20 13:39:23 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0188.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 16 David Walser 2016-06-04 23:06:07 CEST
Apparently 6.9.4-0, and therefore this update also fixed CVE-2016-4562, CVE-2016-4563, and CVE-2016-4564:
http://openwall.com/lists/oss-security/2016/06/04/8

Note You need to log in before you can comment on or make changes to this bug.