Imagemagick has recently received vulnerability reports for certain coders, they include possible remote code execution and ability to render files on the local system. How to prevent possible exploits is explained here: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588 Fixed ImageMagick 7.0.1-1 and 6.9.3-10 will be available by this weekend
Indeed, we should update to 6.9.3-10 when available. Much more details on this, including PoC's, in this thread: http://openwall.com/lists/oss-security/2016/05/03/13 Most of them are in this message: http://openwall.com/lists/oss-security/2016/05/03/18
Whiteboard: (none) => MGA5TOO
6.9.3-10 is building now in Cauldron. We should update Mageia 5 to it as well.
Version: Cauldron => 5Summary: ImageMagick Security Issue => imagemagick new security Issues CVE-2016-371[4-8]Whiteboard: MGA5TOO => (none)
URL: (none) => http://lwn.net/Vulnerabilities/686574/CC: (none) => luigiwalser
Shlomi can we increase priority of this one please. It's a serious issue which has received alot of press attention.
CC: (none) => eeeemail
LWN reference for the rest of the CVEs: http://lwn.net/Vulnerabilities/686761/
Info about some more minor issues fixed in 6.9.4-1: http://openwall.com/lists/oss-security/2016/05/11/3
Hi all! imagemagick-6.9.4.1-0.1.mga5 is build right now on http://pkgsubmit.mageia.org/ . I tested "convert" from a JPEG to a PNG. Sorry it took me so long and please let me know if my changes are acceptable.
I've updated Cauldron to 6.9.4-2. It fixes a regression, and the delegate-related fixes appear security-related from the commit log: http://git.imagemagick.org/repos/ImageMagick/blob/dce8f08c7bf7a92c451f45a684ca96434684a69e/ChangeLog http://git.imagemagick.org/repos/ImageMagick/commits/ImageMagick-6 We should probably bump the Mageia 5 build to 6.9.4-2 as well.
Also, ruby-rmagick in Mageia 5 will need to be rebuilt. I don't see any reason for it to have a strict requires on a specific imagemagick version, so I removed that in Cauldron.
(In reply to David Walser from comment #7) > I've updated Cauldron to 6.9.4-2. It fixes a regression, and the > delegate-related fixes appear security-related from the commit log: > http://git.imagemagick.org/repos/ImageMagick/blob/ > dce8f08c7bf7a92c451f45a684ca96434684a69e/ChangeLog > http://git.imagemagick.org/repos/ImageMagick/commits/ImageMagick-6 > > We should probably bump the Mageia 5 build to 6.9.4-2 as well. Thanks! imagemagick-6.9.4.2-0.1.mga5 was not build for core/updates_testing of mga5.
Should be -1.mga5 without subrel IINM Shlomi. David will know better.
Not that it's a big issue, but yes, Claire is correct. There should be no subrel and it should be release 1.
See PoC information in Comment 1. Advisory: ======================== Updated imagemagick packages fix security vulnerabilities: It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application (CVE-2016-3714). It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete, move, or disclose the contents of arbitrary files (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717). A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images (CVE-2016-3718). The imagemagick package has been updated to version 6.9.4-2 to fix these issues and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3715 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3716 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3717 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3718 http://git.imagemagick.org/repos/ImageMagick/blob/dce8f08c7bf7a92c451f45a684ca96434684a69e/ChangeLog https://rhn.redhat.com/errata/RHSA-2016-0726.html ======================== Updated packages in core/updates_testing: ======================== imagemagick-6.9.4.2-0.1.mga5 imagemagick-desktop-6.9.4.2-0.1.mga5 libmagick-6Q16_2-6.9.4.2-0.1.mga5 libmagick++-6Q16_6-6.9.4.2-0.1.mga5 libmagick-devel-6.9.4.2-0.1.mga5 perl-Image-Magick-6.9.4.2-0.1.mga5 imagemagick-doc-6.9.4.2-0.1.mga5 ruby-rmagick-2.13.2-21.1.mga5 ruby-rmagick-doc-2.13.2-21.1.mga5 from SRPMS: imagemagick-6.9.4.2-0.1.mga5.src.rpm ruby-rmagick-2.13.2-21.1.mga5.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
CC: eeeemail => (none)
Before the update, I confirmed the PoC's work as described from: http://seclists.org/oss-sec/2016/q2/205 After the update on both Mageia 5 i586 and x86_64, I confirmed the PoC's no longer work.
Whiteboard: (none) => has_procedure MGA5-32-OK MGA5-64-OK
Once again, thanks David for your sterling tests. Validating the update, Advisory to follow.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0188.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Apparently 6.9.4-0, and therefore this update also fixed CVE-2016-4562, CVE-2016-4563, and CVE-2016-4564: http://openwall.com/lists/oss-security/2016/06/04/8