Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2016:1275-1

Опубликовано: 11 мая 2016
Источник: suse-cvrf

Описание

Security update for ImageMagick

This update for ImageMagick fixes the following issues:

Security issues fixed:

  • Several coders were vulnerable to remote code execution attacks, these coders have now been disabled. They can be re-enabled by exporting the following environment variable MAGICK_CODER_MODULE_PATH=/usr/lib64/ImageMagick-6.4.3/modules-Q16/coders/vulnerable/ (bsc#978061)
  • CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution
  • CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading.
  • CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo protocol with any extension in any folder.
  • CVE-2016-3717: Possible local file read by using ImageMagick's 'label' pseudo protocol to get content of the files from the server.
  • CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request.

Bugs fixed:

  • Use external svg loader (rsvg)

Список пакетов

SUSE Linux Enterprise Server 11 SP2-LTSS
libMagickCore1-6.4.3.6-7.34.1
libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS
libMagickCore1-6.4.3.6-7.34.1
libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-TERADATA
libMagickCore1-6.4.3.6-7.34.1
libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP4
libMagickCore1-6.4.3.6-7.34.1
libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server for SAP Applications 11 SP4
libMagickCore1-6.4.3.6-7.34.1
libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Software Development Kit 11 SP4
ImageMagick-6.4.3.6-7.34.1
ImageMagick-devel-6.4.3.6-7.34.1
libMagick++-devel-6.4.3.6-7.34.1
libMagick++1-6.4.3.6-7.34.1
libMagickWand1-6.4.3.6-7.34.1
libMagickWand1-32bit-6.4.3.6-7.34.1
perl-PerlMagick-6.4.3.6-7.34.1
SUSE Manager 2.1
libMagickCore1-6.4.3.6-7.34.1
libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Manager Proxy 2.1
libMagickCore1-6.4.3.6-7.34.1
libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE OpenStack Cloud 5
libMagickCore1-6.4.3.6-7.34.1
libMagickCore1-32bit-6.4.3.6-7.34.1

Описание

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."


Затронутые продукты
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-6.4.3.6-7.34.1

Ссылки

Описание

The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.


Затронутые продукты
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-6.4.3.6-7.34.1

Ссылки

Описание

The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image.


Затронутые продукты
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-6.4.3.6-7.34.1

Ссылки

Описание

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.


Затронутые продукты
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-6.4.3.6-7.34.1

Ссылки

Описание

The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.


Затронутые продукты
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP2-LTSS:libMagickCore1-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-32bit-6.4.3.6-7.34.1
SUSE Linux Enterprise Server 11 SP3-LTSS:libMagickCore1-6.4.3.6-7.34.1

Ссылки
Уязвимость SUSE-SU-2016:1275-1