Alerts This Week
Warning Icon 1 666
Alerts This Week
Warning Icon 1 666

Ubuntu 16.04 LTS USN-2990-1 Critical: ImageMagick RCE Issues

Calendar Jun 02, 2016 User Avatar LinuxSecurity Advisories
2 - 3 min read
Ubuntu Large Esm H500
Topics%20covered

Topics Covered

security advisory critical remote execution ubuntu imagemagick
Several security issues were fixed in ImageMagick. 
=========================================================================Ubuntu Security Notice USN-2990-1
June 02, 2016

imagemagick vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in ImageMagick.

Software Description:
- imagemagick: Image manipulation programs and library

Details:

Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly
sanitized untrusted input. A remote attacker could use these issues to
execute arbitrary code. These issues are known as "ImageTragick". This
update disables problematic coders via the /etc/ImageMagick-6/policy.xml
configuration file. In certain environments the coders may need to be
manually re-enabled after making sure that ImageMagick does not process
untrusted input. (CVE-2016-3714, CVE-2016-3715, CVE-2016-3716,
CVE-2016-3717, CVE-2016-3718)

Bob Friesenhahn discovered that ImageMagick allowed injecting commands via
an image file or filename. A remote attacker could use this issue to
execute arbitrary code. (CVE-2016-5118)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
  imagemagick                     8:6.8.9.9-7ubuntu5.1
  imagemagick-6.q16               8:6.8.9.9-7ubuntu5.1
  imagemagick-common              8:6.8.9.9-7ubuntu5.1
  libmagick++-6.q16-5v5           8:6.8.9.9-7ubuntu5.1
  libmagickcore-6.q16-2           8:6.8.9.9-7ubuntu5.1

Ubuntu 15.10:
  imagemagick                     8:6.8.9.9-5ubuntu2.1
  imagemagick-6.q16               8:6.8.9.9-5ubuntu2.1
  imagemagick-common              8:6.8.9.9-5ubuntu2.1
  libmagick++-6.q16-5v5           8:6.8.9.9-5ubuntu2.1
  libmagickcore-6.q16-2           8:6.8.9.9-5ubuntu2.1

Ubuntu 14.04 LTS:
  imagemagick                     8:6.7.7.10-6ubuntu3.1
  imagemagick-common              8:6.7.7.10-6ubuntu3.1
  libmagick++5                    8:6.7.7.10-6ubuntu3.1
  libmagickcore5                  8:6.7.7.10-6ubuntu3.1

Ubuntu 12.04 LTS:
  imagemagick                     8:6.6.9.7-5ubuntu3.4
  imagemagick-common              8:6.6.9.7-5ubuntu3.4
  libmagick++4                    8:6.6.9.7-5ubuntu3.4
  libmagickcore4                  8:6.6.9.7-5ubuntu3.4

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-2990-1
  CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717,
  CVE-2016-3718, CVE-2016-5118

Package Information:
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.1
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-5ubuntu2.1
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.1
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.4

Ubuntu 16.04 LTS USN-2990-1 Critical: ImageMagick RCE Issues

ubuntu
Calendar Grey June 2, 2016
Dist Ubuntu Esm H88
Recent vulnerabilities in ImageMagick for Ubuntu have triggered security alerts. To protect your system, follow these steps to update your software packages
Several security issues were fixed in ImageMagick.

Summary

Topics%20covered

Topics Covered

security advisory critical remote execution ubuntu imagemagick

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: imagemagick 8:6.8.9.9-7ubuntu5.1 imagemagick-6.q16 8:6.8.9.9-7ubuntu5.1 imagemagick-common 8:6.8.9.9-7ubuntu5.1 libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.1 libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.1 Ubuntu 15.10: imagemagick 8:6.8.9.9-5ubuntu2.1 imagemagick-6.q16 8:6.8.9.9-5ubuntu2.1 imagemagick-common 8:6.8.9.9-5ubuntu2.1 libmagick++-6.q16-5v5 8:6.8.9.9-5ubuntu2.1 libmagickcore-6.q16-2 8:6.8.9.9-5ubuntu2.1 Ubuntu 14.04 LTS: imagemagick 8:6.7.7.10-6ubuntu3.1 imagemagick-common 8:6.7.7.10-6ubuntu3.1 libmagick++5 8:6.7.7.10-6ubuntu3.1 libmagickcore5 8:6.7.7.10-6ubuntu3.1 Ubuntu 12.04 LTS: imagemagick 8:6.6.9.7-5ubuntu3.4 imagemagick-common 8:6.6.9.7-5ubuntu3.4 libmagick++4 8:6.6.9.7-5ubuntu3.4 libmagickcore4 8:6.6.9.7-5ubuntu3.4 In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2990-1

CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717,

CVE-2016-3718, CVE-2016-5118

Severity
critical
Lowest
Low
Medium
High
Critical

June 02, 2016

Topics%20covered

Topics Covered

security advisory critical remote execution ubuntu imagemagick

Package Information

https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.1 https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-5ubuntu2.1 https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.1 https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.4

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here