[USN-2990-1] ImageMagick vulnerabilities

Fabricante: Ubuntu
Fecha: 02/06/2016
Identificador: USN-2990-1
[USN-2990-1] ImageMagick vulnerabilities
========================================================================== Ubuntu Security Notice USN-2990-1 June 02, 2016 imagemagick vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in ImageMagick. Software Description: - imagemagick: Image manipulation programs and library Details: Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly sanitized untrusted input. A remote attacker could use these issues to execute arbitrary code. These issues are known as "ImageTragick". This update disables problematic coders via the /etc/ImageMagick-6/policy.xml configuration file. In certain environments the coders may need to be manually re-enabled after making sure that ImageMagick does not process untrusted input. (CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718) Bob Friesenhahn discovered that ImageMagick allowed injecting commands via an image file or filename. A remote attacker could use this issue to execute arbitrary code. (CVE-2016-5118) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: imagemagick 8:6.8.9.9-7ubuntu5.1 imagemagick-6.q16 8:6.8.9.9-7ubuntu5.1 imagemagick-common 8:6.8.9.9-7ubuntu5.1 libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.1 libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.1 Ubuntu 15.10: imagemagick 8:6.8.9.9-5ubuntu2.1 imagemagick-6.q16 8:6.8.9.9-5ubuntu2.1 imagemagick-common 8:6.8.9.9-5ubuntu2.1 libmagick++-6.q16-5v5 8:6.8.9.9-5ubuntu2.1 libmagickcore-6.q16-2 8:6.8.9.9-5ubuntu2.1 Ubuntu 14.04 LTS: imagemagick 8:6.7.7.10-6ubuntu3.1 imagemagick-common 8:6.7.7.10-6ubuntu3.1 libmagick++5 8:6.7.7.10-6ubuntu3.1 libmagickcore5 8:6.7.7.10-6ubuntu3.1 Ubuntu 12.04 LTS: imagemagick 8:6.6.9.7-5ubuntu3.4 imagemagick-common 8:6.6.9.7-5ubuntu3.4 libmagick++4 8:6.6.9.7-5ubuntu3.4 libmagickcore4 8:6.6.9.7-5ubuntu3.4 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2990-1 CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718, CVE-2016-5118 Package Information: https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.1 https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-5ubuntu2.1 https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.1 https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.4 --