Your message dated Wed, 18 May 2016 21:49:24 +0000
with message-id <[email protected]>
and subject line Bug#823542: fixed in imagemagick 8:6.8.9.9-5+deb8u2
has caused the Debian Bug report #823542,
regarding imagemagick-common: please mitigate CVE-2016-3714, remote arbitrary
code execution during handling of delegates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
823542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823542
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: imagemagick-common
Version: 8:6.8.9.9-7+b2
Severity: grave
Tags: security
Justification: user security hole
I'm sure you're already aware of
<https://security-tracker.debian.org/tracker/CVE-2016-3714>, the most serious
of the recent batch of ImageMagick vulnerabilities published at
<https://imagetragick.com/>.
There does not seem to be a full upstream fix yet, but it seems the
vulnerabilities can be mitigated by altering the policy.xml file in
imagemagick-common. The cost of this mitigation is that some obscure
file formats, and some features that perhaps shouldn't have been
implemented in the first place, are disabled.
Regards,
S
-- Package-specific info:
ImageMagick program version
---------------------------
animate: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
compare: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
convert: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
composite: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
conjure: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
display: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
identify: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
import: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
mogrify: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
montage: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
stream: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages imagemagick depends on:
ii imagemagick-6.q16 8:6.8.9.9-7+b2
imagemagick recommends no packages.
imagemagick suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u2
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <[email protected]> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 May 2016 16:39:01 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team
<[email protected]>
Changed-By: Luciano Bello <[email protected]>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-common - image manipulation programs -- infrastructure
imagemagick-dbg - debugging symbols for ImageMagick
imagemagick-doc - document files of ImageMagick
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines
-- Q16 versio
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header
files
libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick -
development files
libmagick++-dev - object-oriented C++ interface to ImageMagick
libmagickcore-6-arch-config - low-level image manipulation library -
architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth
Q16
libmagickcore-6.q16-2-extra - low-level image manipulation library - extra
codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development
files (Q16)
libmagickcore-dev - low-level image manipulation library -- transition package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-2 - image manipulation library
libmagickwand-6.q16-dev - image manipulation library - development files
libmagickwand-dev - image manipulation library - transition for development
files
perlmagick - Perl interface to ImageMagick -- transition package
Closes: 823542
Changes:
imagemagick (8:6.8.9.9-5+deb8u2) jessie-security; urgency=high
.
* ImageTragick: The coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT,
SHOW, WIN, and PLT are disabled via policy.xml file, since they are
vulnerable to code injection. This mitigates CVE-2016-3714,
CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, and CVE-2016-3718.
Since ImageMagick reverts to its internal SVG renderer (which uses
MVG coder) if Inkscape or RSVG is not used, the option --with-rsvg
is included. Closes: 823542. In addition, some other actions were
taken with respect to these vulnerabilities:
- Drop the PLT/Gnuplot decoder, which was vulnerable to command
injection.
- Some sanitization for input filenames in http/https delegates is
added.
- Indirect filename are now authorized by policy.
- Indirect reads with label:@ are prevented.
- Less secure coders (such as MVG, TEXT, and MSL) require explicit
reference in the filename (e.g. mvg:my-graph.mvg).
Checksums-Sha1:
6c65575940f795528353b0d1bf61ce434679e45a 4228 imagemagick_6.8.9.9-5+deb8u2.dsc
84abbeab6d142267fe6eedfbbfaec11d43075c48 7891624
imagemagick_6.8.9.9.orig.tar.xz
5eb0935b65eeb3a9441b19486ba2f847590c67cc 218436
imagemagick_6.8.9.9-5+deb8u2.debian.tar.xz
134886f784ab5f45b3dfb71bf58c2b098d729943 149456
imagemagick-common_6.8.9.9-5+deb8u2_all.deb
cdde54dfbd40da93d1abc1915f8b8231e4d298ab 7666182
imagemagick-doc_6.8.9.9-5+deb8u2_all.deb
e13b03919449002a6bfb3a7bc91d416e31adc633 168196
libmagickcore-6-headers_6.8.9.9-5+deb8u2_all.deb
2f692ad64da50a329cba32e644b281fe1542d88c 131128
libmagickwand-6-headers_6.8.9.9-5+deb8u2_all.deb
c6d5b374f4135bfacda12e60f358b1ad6a7b23e3 166848
libmagick++-6-headers_6.8.9.9-5+deb8u2_all.deb
38420aabd4fc7496c8894592395a07ab7a5dcfa9 155918
imagemagick_6.8.9.9-5+deb8u2_amd64.deb
372b931fbb61a27bed4de883725c520169eef69b 174410
libimage-magick-perl_6.8.9.9-5+deb8u2_all.deb
9632a98506b304bf778278dc556756e7676062da 129960
libmagickcore-6-arch-config_6.8.9.9-5+deb8u2_amd64.deb
0dc07ef41ab40b7612a01ebf7081a8818c41a512 508566
imagemagick-6.q16_6.8.9.9-5+deb8u2_amd64.deb
0da92df0015765041c74a5407d2a45f12b7b9e09 1684876
libmagickcore-6.q16-2_6.8.9.9-5+deb8u2_amd64.deb
38e59781049cfc57e0892dc1b722b882ba1a7731 170618
libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u2_amd64.deb
1d4f937a0843cc68868d46a84b9a9c9f9a4855c1 1027902
libmagickcore-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
aab86cf078ac3baafbfc3113b73612cbe2db860f 404470
libmagickwand-6.q16-2_6.8.9.9-5+deb8u2_amd64.deb
a387fb3a5c6b81b7c720398acc78cebbd5539e88 390994
libmagickwand-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
56ecf4905ba4620997dccb44c64f8eaa84c89028 253784
libmagick++-6.q16-5_6.8.9.9-5+deb8u2_amd64.deb
6b8118b8d06e08dc02eb710cdc560dda1b3f6ba2 221860
libmagick++-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
471fcd84e8c4cd26cb396f011d56b1e4787cfb35 5004408
imagemagick-dbg_6.8.9.9-5+deb8u2_amd64.deb
9fe8ce3b92eae201528b7a12c97e54bf91f731fb 220820
libimage-magick-q16-perl_6.8.9.9-5+deb8u2_amd64.deb
588422d5c1dbc67e2dafeccfd55712b84564c372 122230
perlmagick_6.8.9.9-5+deb8u2_all.deb
9b58453df19521c57319b72ace81019b5f3d040f 122212
libmagickcore-dev_6.8.9.9-5+deb8u2_all.deb
291017a6b2d7cf9223755a8bb46539f67a939b63 122206
libmagickwand-dev_6.8.9.9-5+deb8u2_all.deb
336e70997d95c35deedadeeeb69f0a4f9db382ea 122236
libmagick++-dev_6.8.9.9-5+deb8u2_all.deb
Checksums-Sha256:
ea6324f732a037e9fc12eb86cfe922cfbeef17dd00eed9e2d1018de046c6c966 4228
imagemagick_6.8.9.9-5+deb8u2.dsc
a4cccc70179ff2c67550e063cdcb2e62907338ef3e68b45bb1c41931e515b3eb 7891624
imagemagick_6.8.9.9.orig.tar.xz
969405680501faf3559d1236e1e1a60dfb38af2bb50763541df99779643d0fac 218436
imagemagick_6.8.9.9-5+deb8u2.debian.tar.xz
7da48b825640d1eef8daf8480d6af4bc29a177a07029c4cfe77cfe3d227b2df6 149456
imagemagick-common_6.8.9.9-5+deb8u2_all.deb
d6ea6ca17726b4e341ce78a5342cee1d118ee0187ef3d5c1af819e66515d1cc2 7666182
imagemagick-doc_6.8.9.9-5+deb8u2_all.deb
fd7961ebe848eacf1e0f328e39bf1a33c57978f16700c99d73fd71b61f1f1805 168196
libmagickcore-6-headers_6.8.9.9-5+deb8u2_all.deb
9e7ce690002e8410b3319ad5146bdfabc27ee4daed0de07c79f3f16f9cd159e3 131128
libmagickwand-6-headers_6.8.9.9-5+deb8u2_all.deb
16a544e3e94f522f64a06b8a593b415f01c1bc1b9c066fa77cc5d7570a3582a6 166848
libmagick++-6-headers_6.8.9.9-5+deb8u2_all.deb
182ed1fb67bb5ac8243d95cc0fed24f0ac450f41b0d5a03a8d7ed68ced10dd8f 155918
imagemagick_6.8.9.9-5+deb8u2_amd64.deb
85395cb6b25fb8154e7f5722cc341622fe41848f4d39618bcc4e5ab0e6b95e14 174410
libimage-magick-perl_6.8.9.9-5+deb8u2_all.deb
7195ceb542df7ff1f24aae5bf266458f02805cfda5918b334d9fb8f28747b38d 129960
libmagickcore-6-arch-config_6.8.9.9-5+deb8u2_amd64.deb
be4716f32d8b3f3f8dae891b663d4b14382b58b36fc5c8bf1e2ef5a3ffdaf65f 508566
imagemagick-6.q16_6.8.9.9-5+deb8u2_amd64.deb
17b8c92deb661cad13bbcff73e7dfdb04492e1878cc49fc104ad256efcd98024 1684876
libmagickcore-6.q16-2_6.8.9.9-5+deb8u2_amd64.deb
6aca1ebc97759f7b81aaf2b8b180087cf994887e1faa04619bb351355d9fc51c 170618
libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u2_amd64.deb
12b99adbae32d47fb02b7904f4b26f5dfee317cedf55345959f65379616a8e62 1027902
libmagickcore-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
d850d19ad28ca1ee2239fa614e6ebd39bd3c88f9c40960c138d1885d68c4e34a 404470
libmagickwand-6.q16-2_6.8.9.9-5+deb8u2_amd64.deb
01070788e7ee70ec452cf17ea0100afec9188f0a739a02351df9b2a930ead6c0 390994
libmagickwand-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
84b82d023d7db47e3a6260ecc0c7509e125e4fc82e5a0630a36799f6b561bbb4 253784
libmagick++-6.q16-5_6.8.9.9-5+deb8u2_amd64.deb
e58834e8a82a580a42f10028dd71be39d41017d468535b28b5ddb7d2447c60c1 221860
libmagick++-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
92afb8e9e036b5d9329923d205eef96b3c8b809d635054529dfabff09ca5c191 5004408
imagemagick-dbg_6.8.9.9-5+deb8u2_amd64.deb
640e6de8aa2020fca016ee19b2ffac99d2cba4aee7a258c6f77fc19d5c67080d 220820
libimage-magick-q16-perl_6.8.9.9-5+deb8u2_amd64.deb
7d73a79af9f0f4fb15bd76db33a5a2fec35751a763a774df7d5081afbd8726ae 122230
perlmagick_6.8.9.9-5+deb8u2_all.deb
a33ecab86776d303132eba27bfe76bfe92e905e998c16446ae66d0417e5ee8d8 122212
libmagickcore-dev_6.8.9.9-5+deb8u2_all.deb
4b4449e11cc99673704857eb38dbfdf5e097e693609f05d7e4d68b9936ea7a92 122206
libmagickwand-dev_6.8.9.9-5+deb8u2_all.deb
f4ad50583e25926e9474fcb1ff4bf0c0662cbc48b3fede7d095bcd2219c92d54 122236
libmagick++-dev_6.8.9.9-5+deb8u2_all.deb
Files:
ff2e0d78169018d7b3569cd1cba19b9f 4228 graphics optional
imagemagick_6.8.9.9-5+deb8u2.dsc
9ac3d9153ef78482d750cb03e3456e28 7891624 graphics optional
imagemagick_6.8.9.9.orig.tar.xz
27e4b5db8793969151f56e433743b8fa 218436 graphics optional
imagemagick_6.8.9.9-5+deb8u2.debian.tar.xz
465f769755b0fbb2f117aa995ef79340 149456 graphics optional
imagemagick-common_6.8.9.9-5+deb8u2_all.deb
d28518c4986f7b2a2c71ee7fe313ca63 7666182 doc optional
imagemagick-doc_6.8.9.9-5+deb8u2_all.deb
6a6ae67717fdd1a3deca0bc2b7e1e25c 168196 libdevel optional
libmagickcore-6-headers_6.8.9.9-5+deb8u2_all.deb
75a2995609a5dc606687431d97cdd293 131128 libdevel optional
libmagickwand-6-headers_6.8.9.9-5+deb8u2_all.deb
11fd4f11ec5ffa2506794006786eaf2a 166848 libdevel optional
libmagick++-6-headers_6.8.9.9-5+deb8u2_all.deb
0326eb701ffd04ec87cf322bb9b2e556 155918 graphics optional
imagemagick_6.8.9.9-5+deb8u2_amd64.deb
4b2493b5a685fff9e417d4038750a851 174410 perl optional
libimage-magick-perl_6.8.9.9-5+deb8u2_all.deb
b904342a197db3fb692133308f0f72be 129960 libdevel optional
libmagickcore-6-arch-config_6.8.9.9-5+deb8u2_amd64.deb
c033928547f6f8b4de834ac5e6ce13bf 508566 graphics optional
imagemagick-6.q16_6.8.9.9-5+deb8u2_amd64.deb
4c2f5d03f508211d05bb2897e2762295 1684876 libs optional
libmagickcore-6.q16-2_6.8.9.9-5+deb8u2_amd64.deb
e25272469ea838861898f9859a5acc42 170618 libs optional
libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u2_amd64.deb
5344e1e90c1ed250f5661031acd7546c 1027902 libdevel optional
libmagickcore-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
b0e33814ff8aa6e27228e08a544bf64a 404470 libs optional
libmagickwand-6.q16-2_6.8.9.9-5+deb8u2_amd64.deb
8b8c03227ad9d5d755eca092dcfa6bef 390994 libdevel optional
libmagickwand-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
2c37f1d3882059d1a36d19e6006eb934 253784 libs optional
libmagick++-6.q16-5_6.8.9.9-5+deb8u2_amd64.deb
7573f310609cf2a40455ad3d8963d1d0 221860 libdevel optional
libmagick++-6.q16-dev_6.8.9.9-5+deb8u2_amd64.deb
6e931d5143a859d705e0d9e8cb4c2e39 5004408 debug extra
imagemagick-dbg_6.8.9.9-5+deb8u2_amd64.deb
84d059c38b3c25c09fa124f9889647e4 220820 perl optional
libimage-magick-q16-perl_6.8.9.9-5+deb8u2_amd64.deb
1cbfbff0f46b6a45e247a3ce05d75b74 122230 oldlibs extra
perlmagick_6.8.9.9-5+deb8u2_all.deb
438626432d7e7c9ef303ae9717d57b21 122212 oldlibs extra
libmagickcore-dev_6.8.9.9-5+deb8u2_all.deb
6fa099373b19e58eb48296ff5f57898d 122206 oldlibs extra
libmagickwand-dev_6.8.9.9-5+deb8u2_all.deb
fc851aac156e06320cc6436cd003d71a 122236 oldlibs extra
libmagick++-dev_6.8.9.9-5+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXOe2qAAoJEG7C3vaP/jd01ngP/16wWA5d0P0AQDA/QPhTP4zS
2/DO2T+rsPdlIfNZeQP5GB4HuT2LXisBPlpyLWvQk8/KlPB2Ywv5yIzHQA8q9Yku
O9bcNAVB/t1+U85vrXF0zsVSwaiXisM2JErpjkUqTLCecda12ucZGwp1XZbCmQqZ
0P8ituRXTnR6u3jH2v5W2e36TmwlyYsT5U4UVYDicKt6OAeAoZ6Z56uJeNamky39
hkJfYsV91mid6DsJ0phDFXwAFWt2KBslxnTo7DQF06gVIqTQzy1gDWE8qiBG3Emv
nyyRIZWC1z9ODGaHnxRSeabKpuTIA/uYF8LTM6rhGhzoPX4lJ2V3RuIIZoYoU7vs
4lpgmYkzJjuWiMiM0A67fAzktq1nt/LLgqJqiN2zRIjdg3V59MnkY9ICw+A1q4YN
LO/h9b+WxSmfB99F0nX0Hr5Z3+gIuaCXqqODTik76O5TtQekffu5RQqOht6bue4l
M+1iL9ZvlsU1NH5oHr8mWNXIFMPdPWR5cHPqjgJz4cDiXAb91Sj7wo5J1S6VTe+2
Cb7sbHijjewyrA9u6QJhGWYgMYbY220nGQiqRM0cXnqsgTLZOlx6IhJlI5wrKwa4
XPc8vO8fFuGmqGhFtAikeSaovnCEiu8KTt8IwjNa28LvhzxD5RFrzEPT7V2VA2Ni
qm5NHzTmWCNVjy6hIjHr
=augd
-----END PGP SIGNATURE-----
--- End Message ---
