Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-3717

Опубликовано: 03 мая 2016
Источник: redhat
CVSS2: 7.1
EPSS Средний

Описание

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.

It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to disclose the contents of arbitrary files.

Меры по смягчению последствий

Details can be found under the resolve tab at https://access.redhat.com/security/vulnerabilities/2296071 Red Hat Enterprise Linux 6 and 7

As a workaround the /etc/ImageMagick/policy.xml file can be edited to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, MSL, LABEL, TEXT, SHOW, WIN and PLT commands within image files, simply add the following lines: within the policy map stanza: ... Red Hat Enterprise Linux 5

In the following folders: /usr/lib64/ImageMagick-6.2.8/modules-Q16/coders/ (64bit package) or /usr/lib/ImageMagick-6.2.8/modules-Q16/coders/ (32bit package) Rename the following files:

  • mvg.so to mvg.so.bak
  • msl.so to msl.so.bak
  • label.so to label.so.bak

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5ImageMagickWill not fix
Red Hat OpenShift Enterprise 2ImageMagickAffected
Red Hat Enterprise Linux 6ImageMagickFixedRHSA-2016:072609.05.2016
Red Hat Enterprise Linux 7ImageMagickFixedRHSA-2016:072609.05.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1332505ImageMagick: Local file read

EPSS

Процентиль: 96%
0.24199
Средний

7.1 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-3717

CVSS3: 5.5
ubuntu
больше 9 лет назад

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.

nvd логотип

CVE-2016-3717

CVSS3: 5.5
nvd
больше 9 лет назад

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.

debian логотип

CVE-2016-3717

CVSS3: 5.5
debian
больше 9 лет назад

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 ...

github логотип

GHSA-cc28-64rq-q7jg

CVSS3: 5.5
github
около 3 лет назад

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.

suse-cvrf логотип

openSUSE-SU-2016:1326-1

suse-cvrf
около 9 лет назад

Security update for GraphicsMagick

EPSS

Процентиль: 96%
0.24199
Средний

7.1 High

CVSS2