Alerts This Week
Warning Icon 1 525
Alerts This Week
Warning Icon 1 525

Scientific Linux SL6/SL7: Important ImageMagick Update - Security Flaws

Calendar May 09, 2016 User Avatar LinuxSecurity Advisories
2 - 4 min read
Scientific Large Esm H500
Topics%20covered

Topics Covered

security advisory security issue update ImageMagick Scientific Linux
Important: ImageMagick security update 
Date: Mon, 9 May 2016 19:53:05 -0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Important: ImageMagick on SL6.x, SL7.x i386/x86_64
MIME-Version: 1.0
Message-ID: <20160509195305.32021.62663@slpackages.fnal.gov>

Synopsis: Important: ImageMagick security update
Advisory ID: SLSA-2016:0726-1
Issue Date: 2016-05-09
CVE Numbers: CVE-2016-3714
 CVE-2016-3715
 CVE-2016-3716
 CVE-2016-3717
 CVE-2016-3718
--

Security Fix(es):

* It was discovered that ImageMagick did not properly sanitize certain
input before passing it to the delegate functionality. A remote attacker
could create a specially crafted image that, when processed by an
application using ImageMagick or an unsuspecting user using the
ImageMagick utilities, would lead to arbitrary execution of shell commands
with the privileges of the user running the application. (CVE-2016-3714)

* It was discovered that certain ImageMagick coders and pseudo-protocols
did not properly prevent security sensitive operations when processing
specially crafted images. A remote attacker could create a specially
crafted image that, when processed by an application using ImageMagick or
an unsuspecting user using the ImageMagick utilities, would allow the
attacker to delete, move, or disclose the contents of arbitrary files.
(CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)

* A server-side request forgery flaw was discovered in the way ImageMagick
processed certain images. A remote attacker could exploit this flaw to
mislead an application using ImageMagick or an unsuspecting user using the
ImageMagick utilities into, for example, performing HTTP(S) requests or
opening FTP sessions via specially crafted images. (CVE-2016-3718)

Note: This update contains an updated /etc/ImageMagick/policy.xml file
that disables the EPHEMERAL, HTTPS, HTTP, URL, FTP, MVG, MSL, TEXT, and
LABEL coders. If you experience any problems after the update, it may be
necessary to manually adjust the policy.xml file to match your
requirements. Please take additional precautions to ensure that your
applications using the ImageMagick library do not process malicious or
untrusted files before doing so.
--

SL6
 x86_64
 ImageMagick-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-6.7.2.7-4.el6_7.x86_64.rpm
 ImageMagick-c++-6.7.2.7-4.el6_7.x86_64.rpm
 ImageMagick-debuginfo-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-debuginfo-6.7.2.7-4.el6_7.x86_64.rpm
 ImageMagick-c++-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-c++-devel-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-c++-devel-6.7.2.7-4.el6_7.x86_64.rpm
 ImageMagick-devel-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-devel-6.7.2.7-4.el6_7.x86_64.rpm
 ImageMagick-doc-6.7.2.7-4.el6_7.x86_64.rpm
 ImageMagick-perl-6.7.2.7-4.el6_7.x86_64.rpm
 i386
 ImageMagick-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-c++-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-debuginfo-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-c++-devel-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-devel-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-doc-6.7.2.7-4.el6_7.i686.rpm
 ImageMagick-perl-6.7.2.7-4.el6_7.i686.rpm
SL7
 x86_64
 ImageMagick-6.7.8.9-13.el7_2.i686.rpm
 ImageMagick-6.7.8.9-13.el7_2.x86_64.rpm
 ImageMagick-c++-6.7.8.9-13.el7_2.i686.rpm
 ImageMagick-c++-6.7.8.9-13.el7_2.x86_64.rpm
 ImageMagick-debuginfo-6.7.8.9-13.el7_2.i686.rpm
 ImageMagick-debuginfo-6.7.8.9-13.el7_2.x86_64.rpm
 ImageMagick-c++-devel-6.7.8.9-13.el7_2.i686.rpm
 ImageMagick-c++-devel-6.7.8.9-13.el7_2.x86_64.rpm
 ImageMagick-devel-6.7.8.9-13.el7_2.i686.rpm
 ImageMagick-devel-6.7.8.9-13.el7_2.x86_64.rpm
 ImageMagick-doc-6.7.8.9-13.el7_2.x86_64.rpm
 ImageMagick-perl-6.7.8.9-13.el7_2.x86_64.rpm

- Scientific Linux Development Team

Related News

Your message here