ArchLinux: 201605-6: imagemagick: arbitrary code execution
Summary
It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application.
Resolution
Upgrade to 6.9.3.10-1.
# pacman -Syu "imagemagick>=6.9.3.10-1"
The problem has been fixed upstream in version 6.9.3.10.
References
https://access.redhat.com/security/cve/CVE-2016-3714 https://bugs.archlinux.org/task/49203 ;t=29588 https://imagetragick.com/
Workaround
To prevent these possible exploits, simply add
to your policy.xml file. To mitigate the dangerous HTTPS delegate, you
can also remove support for it by deleting it from the delegates.xml
configuration file.