[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

DSA-3580-1 imagemagick -- imagemagick

ID: oval:org.secpod.oval:def:602503Date: (C)2016-05-30   (M)2023-12-20
Class: PATCHFamily: unix




Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code , make HTTP GET or FTP requests , or delete , move , or read local files. These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service. The update disables the vulnerable coders and indirect reads via /etc/ImageMagick-6/policy.xml file. In addition, we introduce extra preventions, including some sanitization for input filenames in http/https delegates, the full remotion of PLT/Gnuplot decoder, and the need of explicit reference in the filename for the insecure coders.

Platform:
Debian 8.x
Product:
imagemagick
Reference:
DSA-3580-1
CVE-2016-3714
CVE-2016-3715
CVE-2016-3716
CVE-2016-3717
CVE-2016-3718
CVE    5
CVE-2016-3714
CVE-2016-3716
CVE-2016-3717
CVE-2016-3715
...
CPE    2
cpe:/o:debian:debian_linux:8.x
cpe:/a:imagemagick:imagemagick

© SecPod Technologies