Your message dated Tue, 10 Jan 2017 16:27:26 +0000 with message-id <[email protected]> and subject line Re: Bug#823542: fixed in imagemagick 8:6.8.9.9-5+deb8u2 has caused the Debian Bug report #823542, regarding imagemagick-common: please mitigate CVE-2016-3714, remote arbitrary code execution during handling of delegates to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 823542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823542 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: imagemagick-common Version: 8:6.8.9.9-7+b2 Severity: grave Tags: security Justification: user security hole I'm sure you're already aware of <https://security-tracker.debian.org/tracker/CVE-2016-3714>, the most serious of the recent batch of ImageMagick vulnerabilities published at <https://imagetragick.com/>. There does not seem to be a full upstream fix yet, but it seems the vulnerabilities can be mitigated by altering the policy.xml file in imagemagick-common. The cost of this mitigation is that some obscure file formats, and some features that perhaps shouldn't have been implemented in the first place, are disabled. Regards, S -- Package-specific info: ImageMagick program version --------------------------- animate: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org compare: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org convert: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org composite: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org conjure: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org display: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org identify: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org import: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org mogrify: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org montage: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org stream: ImageMagick 6.8.9-9 Q16 x86_64 2016-04-08 http://www.imagemagick.org -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages imagemagick depends on: ii imagemagick-6.q16 8:6.8.9.9-7+b2 imagemagick recommends no packages. imagemagick suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Version: 8:6.9.6.2+dfsg-2 Closing this RC bug for the testing/unstable branch too. On Wed, 18 May 2016 at 21:51:15 +0000, Luciano Bello wrote: > imagemagick (8:6.8.9.9-5+deb8u2) jessie-security; urgency=high > . > * ImageTragick: The coders EPHEMERAL, URL, HTTPS, MVG, MSL, TEXT, > SHOW, WIN, and PLT are disabled via policy.xml file, since they are > vulnerable to code injection. This mitigates CVE-2016-3714, > CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, and CVE-2016-3718. These appear to have been fixed upstream in the 6.9.3/6.9.4 era. > - Drop the PLT/Gnuplot decoder, which was vulnerable to command > injection. Quietly fixed in 6.9.4-0 with commit 70a2cf326ed32bedee144b961005c63846541a16 "Update to the latest autoconf / automake" > - Some sanitization for input filenames in http/https delegates is > added. > - Indirect filename are now authorized by policy. > - Indirect reads with label:@ are prevented. > - Less secure coders (such as MVG, TEXT, and MSL) require explicit > reference in the filename (e.g. mvg:my-graph.mvg). Also all 6.9.3/6.9.4 era. S
--- End Message ---
