Updated imagemagick packages fix security vulnerabilities
Publication date: 19 Jul 2016Modification date: 19 Jul 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-5118 , CVE-2016-5841 , CVE-2016-5842
Description
Updated imagemagick package fixes security vulnerabilities:
The OpenBlob function in blob.c in ImageMagick allows remote attackers to
execute arbitrary code via a | (pipe) character at the start of a filename
(CVE-2016-5118).
Integer overflow in MagickCore/profile.c (CVE-2016-5841).
Buffer overread in MagickCore/property.c (CVE-2016-5842).
Also, several packages have been rebuilt to use the updated Magick++-6.Q16
library. These include converseen, cuneiform-linux, inkscape, k3d, kcm-grub2,
kxstitch, performous, perl-Image-SubImageFind, pfstools, pstoedit,
pythonmagick, synfig, vdr-plugin-skinelchi, and vdr-plugin-skinenigmang.
References
- https://bugs.mageia.org/show_bug.cgi?id=18598
- http://seclists.org/oss-sec/2016/q2/432
- http://openwall.com/lists/oss-security/2016/06/25/3
- http://git.imagemagick.org/repos/ImageMagick/blob/ImageMagick-6/ChangeLog
- https://www.debian.org/security/2016/dsa-3591
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5841
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5842
SRPMS
5/core
- imagemagick-6.9.5.2-1.mga5
- converseen-0.8.3-3.1.mga5
- cuneiform-linux-1.1.0-6.1.mga5
- inkscape-0.91-1.1.mga5
- k3d-0.8.0.2-10.1.mga5
- kcm-grub2-0.5.8-12.2.mga5
- kxstitch-1.2.0-3.1.mga5
- performous-0.8.0-0.20141015.2.1.mga5
- perl-Image-SubImageFind-0.30.0-2.1.mga5
- pfstools-1.8.5-1.1.mga5
- pstoedit-3.62-5.1.mga5
- pythonmagick-0.9.12-1.mga5
- synfig-0.64.1-6.1.mga5
- vdr-plugin-skinelchi-0.2.8-6.1.mga5
- vdr-plugin-skinenigmang-0.1.2-8.1.mga5