[Bug 1578398] Re: ImageMagick Security Issue reported yesterday
Jon, severity in launchpad is mostly unused. (Maybe some teams use it but I'm not aware of them.) Issues that the Ubuntu Security Team tracks are on the Ubuntu CVE Tracker: https://people.canonical.com/~ubuntu-security/cve/pkg/imagemagick.html Now the bad news -- I don't think the upstream developers have understood the issues and prepared meaningful patches. My full critique is at http://www.openwall.com/lists/oss-security/2016/05/03/19 . Ideally the upstream authors will create patches that do address my concerns (and the concerns raised by the mail.ru security team privately with the upstream authors). There's some suggestions here for mitigations: https://imagetragick.com/ I recommend testing these mitigations in your environment. I also recommend using AppArmor to confine services that allow users to provide images for ImageMagick manipulation. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578398 Title: ImageMagick Security Issue reported yesterday To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1578398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1578398] Re: ImageMagick Security Issue reported yesterday
It's a little unclear how this only warrants a severity of "medium" given that it is a full remote code execution exploit with actual weaponized code in the wild. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-3718 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-3715 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-3716 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-3717 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578398 Title: ImageMagick Security Issue reported yesterday To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1578398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1578398] Re: ImageMagick Security Issue reported yesterday
** Information type changed from Private Security to Public Security ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-3714 ** Also affects: imagemagick (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: imagemagick (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: imagemagick (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: imagemagick (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: imagemagick (Ubuntu Wily) Importance: Undecided Status: New ** Changed in: imagemagick (Ubuntu Precise) Status: New => Confirmed ** Changed in: imagemagick (Ubuntu Precise) Importance: Undecided => Medium ** Changed in: imagemagick (Ubuntu Trusty) Status: New => Confirmed ** Changed in: imagemagick (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: imagemagick (Ubuntu Wily) Status: New => Confirmed ** Changed in: imagemagick (Ubuntu Wily) Importance: Undecided => Medium ** Changed in: imagemagick (Ubuntu Xenial) Status: New => Confirmed ** Changed in: imagemagick (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: imagemagick (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: imagemagick (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: imagemagick (Ubuntu Precise) Assignee: (unassigned) => Seth Arnold (seth-arnold) ** Changed in: imagemagick (Ubuntu Trusty) Assignee: (unassigned) => Seth Arnold (seth-arnold) ** Changed in: imagemagick (Ubuntu Wily) Assignee: (unassigned) => Seth Arnold (seth-arnold) ** Changed in: imagemagick (Ubuntu Xenial) Assignee: (unassigned) => Seth Arnold (seth-arnold) ** Changed in: imagemagick (Ubuntu Yakkety) Assignee: (unassigned) => Seth Arnold (seth-arnold) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1578398 Title: ImageMagick Security Issue reported yesterday To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1578398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs