Описание
Security update for ImageMagick
This update for ImageMagick fixes the following issues:
Security issues fixed:
- Several coders were vulnerable to remote code execution attacks, these coders have now been disabled. They can be re-enabled by exporting the following environment variable MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vulnerable/ (bsc#978061)
- CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution
- CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading.
- CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo protocol with any extension in any folder.
- CVE-2016-3717: Possible local file read by using ImageMagick's 'label' pseudo protocol to get content of the files from the server.
- CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request.
Bugs fixed:
- Use external svg loader (rsvg)
Список пакетов
SUSE Linux Enterprise Server 11 SP2-LTSS
SUSE Linux Enterprise Server 11 SP3-LTSS
SUSE Linux Enterprise Server 11 SP3-TERADATA
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server for SAP Applications 11 SP4
SUSE Linux Enterprise Software Development Kit 11 SP4
SUSE Manager 2.1
SUSE Manager Proxy 2.1
SUSE OpenStack Cloud 5
Ссылки
- Link for SUSE-SU-2016:1275-1
- E-Mail link for SUSE-SU-2016:1275-1
- SUSE Security Ratings
- SUSE Bug 978061
- SUSE CVE CVE-2016-3714 page
- SUSE CVE CVE-2016-3715 page
- SUSE CVE CVE-2016-3716 page
- SUSE CVE CVE-2016-3717 page
- SUSE CVE CVE-2016-3718 page
Описание
The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."
Затронутые продукты
Ссылки
- CVE-2016-3714
- SUSE Bug 1000484
- SUSE Bug 1057163
- SUSE Bug 1105592
- SUSE Bug 978061
- SUSE Bug 980401
- SUSE Bug 982178
Описание
The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.
Затронутые продукты
Ссылки
- CVE-2016-3715
- SUSE Bug 1000484
- SUSE Bug 1057163
- SUSE Bug 1105592
- SUSE Bug 978061
Описание
The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image.
Затронутые продукты
Ссылки
- CVE-2016-3716
- SUSE Bug 1000484
- SUSE Bug 1057163
- SUSE Bug 1105592
- SUSE Bug 978061
Описание
The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.
Затронутые продукты
Ссылки
- CVE-2016-3717
- SUSE Bug 1000484
- SUSE Bug 1057163
- SUSE Bug 1105592
- SUSE Bug 978061
Описание
The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.
Затронутые продукты
Ссылки
- CVE-2016-3718
- SUSE Bug 1000484
- SUSE Bug 1057163
- SUSE Bug 1105592
- SUSE Bug 978061