openSUSE-SU-2016:1266-1

Опубликовано: 07 мая 2016

Источник: suse-cvrf

Описание

Security update for ImageMagick

This update for ImageMagick fixes the following issues:

Security issues fixed:

Several coders were vulnerable to remote code execution attacks, these coders have now been disabled by default but can be re-enabled by editing '/etc/ImageMagick-*/policy.xml' (bsc#978061)
CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution
CVE-2016-3715: Possible file deletion by using ImageMagick's 'ephemeral' pseudo protocol which deletes files after reading.
CVE-2016-3716: Possible file moving by using ImageMagick's 'msl' pseudo protocol with any extension in any folder.
CVE-2016-3717: Possible local file read by using ImageMagick's 'label' pseudo protocol to get content of the files from the server.
CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request.

Bugs fixed:

Use external svg loader (rsvg)

This update was imported from the SUSE:SLE-12:Update update project.

Список пакетов

openSUSE Leap 42.1

ImageMagick-6.8.8.1-9.1

ImageMagick-devel-6.8.8.1-9.1

ImageMagick-devel-32bit-6.8.8.1-9.1

ImageMagick-doc-6.8.8.1-9.1

ImageMagick-extra-6.8.8.1-9.1

libMagick++-6_Q16-3-6.8.8.1-9.1

libMagick++-6_Q16-3-32bit-6.8.8.1-9.1

libMagick++-devel-6.8.8.1-9.1

libMagick++-devel-32bit-6.8.8.1-9.1

libMagickCore-6_Q16-1-6.8.8.1-9.1

libMagickCore-6_Q16-1-32bit-6.8.8.1-9.1

libMagickWand-6_Q16-1-6.8.8.1-9.1

libMagickWand-6_Q16-1-32bit-6.8.8.1-9.1

perl-PerlMagick-6.8.8.1-9.1

Ссылки

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html
E-Mail link for openSUSE-SU-2016:1266-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

Затронутые продукты

openSUSE Leap 42.1:ImageMagick-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-32bit-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-doc-6.8.8.1-9.1

Ссылки

https://www.suse.com/security/cve/CVE-2016-3714.html
CVE-2016-3714
https://bugzilla.suse.com/1057163
SUSE Bug 1057163
https://bugzilla.suse.com/1105592
SUSE Bug 1105592
https://bugzilla.suse.com/978061
SUSE Bug 978061
https://bugzilla.suse.com/982178
SUSE Bug 982178

Описание

The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image.

Затронутые продукты

openSUSE Leap 42.1:ImageMagick-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-32bit-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-doc-6.8.8.1-9.1

Ссылки

https://www.suse.com/security/cve/CVE-2016-3715.html
CVE-2016-3715
https://bugzilla.suse.com/1057163
SUSE Bug 1057163
https://bugzilla.suse.com/1105592
SUSE Bug 1105592
https://bugzilla.suse.com/978061
SUSE Bug 978061

Описание

The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image.

Затронутые продукты

openSUSE Leap 42.1:ImageMagick-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-32bit-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-doc-6.8.8.1-9.1

Ссылки

https://www.suse.com/security/cve/CVE-2016-3716.html
CVE-2016-3716
https://bugzilla.suse.com/1057163
SUSE Bug 1057163
https://bugzilla.suse.com/1105592
SUSE Bug 1105592
https://bugzilla.suse.com/978061
SUSE Bug 978061

Описание

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image.

Затронутые продукты

openSUSE Leap 42.1:ImageMagick-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-32bit-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-doc-6.8.8.1-9.1

Ссылки

https://www.suse.com/security/cve/CVE-2016-3717.html
CVE-2016-3717
https://bugzilla.suse.com/1057163
SUSE Bug 1057163
https://bugzilla.suse.com/1105592
SUSE Bug 1105592
https://bugzilla.suse.com/978061
SUSE Bug 978061

Описание

The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image.

Затронутые продукты

openSUSE Leap 42.1:ImageMagick-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-32bit-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-devel-6.8.8.1-9.1

openSUSE Leap 42.1:ImageMagick-doc-6.8.8.1-9.1

Ссылки

https://www.suse.com/security/cve/CVE-2016-3718.html
CVE-2016-3718
https://bugzilla.suse.com/1057163
SUSE Bug 1057163
https://bugzilla.suse.com/1105592
SUSE Bug 1105592
https://bugzilla.suse.com/978061
SUSE Bug 978061

openSUSE-SU-2016:1266-1

Описание

Список пакетов

openSUSE Leap 42.1

Ссылки

Уязвимость: CVE-2016-3714

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2016-3715

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2016-3716

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2016-3717

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2016-3718

Описание

Затронутые продукты

Ссылки