Advisories ยป MGASA-2016-0188

Updated imagemagick/ruby-rmagic packages fix security vulnerability

Publication date: 20 May 2016
Modification date: 20 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3714 , CVE-2016-3715 , CVE-2016-3716 , CVE-2016-3717 , CVE-2016-3718

Description

It was discovered that ImageMagick did not properly sanitize certain input
before passing it to the delegate functionality. A remote attacker could
create a specially crafted image that, when processed by an application
using ImageMagick or an unsuspecting user using the ImageMagick utilities,
would lead to arbitrary execution of shell commands with the privileges of
the user running the application (CVE-2016-3714).

It was discovered that certain ImageMagick coders and pseudo-protocols did
not properly prevent security sensitive operations when processing
specially crafted images. A remote attacker could create a specially
crafted image that, when processed by an application using ImageMagick or
an unsuspecting user using the ImageMagick utilities, would allow the
attacker to delete, move, or disclose the contents of arbitrary files
(CVE-2016-3715, CVE-2016-3716, CVE-2016-3717).

A server-side request forgery flaw was discovered in the way ImageMagick
processed certain images. A remote attacker could exploit this flaw to
mislead an application using ImageMagick or an unsuspecting user using the
ImageMagick utilities into, for example, performing HTTP(S) requests or
opening FTP sessions via specially crafted images (CVE-2016-3718).

The imagemagick package has been updated to version 6.9.4-2 to fix these
issues and several other bugs.

References

SRPMS

5/core