ESB-2017.2823 - [Debian] imagemagick: Multiple vulnerabilities 2017-11-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2823
                        imagemagick security update
                              6 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           imagemagick
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-13145 CVE-2017-13144 CVE-2017-13143
                   CVE-2017-13142 CVE-2017-13141 CVE-2017-13140
                   CVE-2017-13139 CVE-2017-12671 CVE-2017-12640
                   CVE-2017-12587 CVE-2017-12434 CVE-2017-12432
                   CVE-2017-12431 CVE-2017-12428 CVE-2017-11640
                   CVE-2017-11639 CVE-2017-11537 CVE-2017-11535
                   CVE-2017-11533 CVE-2017-11523 CVE-2017-11446
                   CVE-2017-9500  

Reference:         ESB-2017.2697
                   ESB-2017.1769

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4019

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4019-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 05, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2017-9500  CVE-2017-11446 CVE-2017-11523 CVE-2017-11533
                 CVE-2017-11535 CVE-2017-11537 CVE-2017-11639 CVE-2017-11640
		 CVE-2017-12428 CVE-2017-12431 CVE-2017-12432 CVE-2017-12434
		 CVE-2017-12587 CVE-2017-12640 CVE-2017-12671 CVE-2017-13139
		 CVE-2017-13140 CVE-2017-13141 CVE-2017-13142 CVE-2017-13143
                 CVE-2017-13144 CVE-2017-13145
Debian Bug     : 870526 870491 870116 870111 870109 870106 870119
                 870105 870065 870014 869210 870067 870012 869834
		 869830 869827 868950 869728 869712 869715 869713 867778

This update fixes several vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising may
result in denial of service, memory disclosure or the execution of
arbitrary code if malformed image files are processed.

For the stable distribution (stretch), this problem has been fixed in
version 8:6.9.7.4+dfsg-11+deb9u2.

We recommend that you upgrade your imagemagick packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAln/U3sACgkQEMKTtsN8
TjZK9g//VG1nj33nrBqZmq7PUtk5d9D7dLwE1nK43lqMfTDM0K2+E87DjXOUPj/q
0NYmBLJmWNO4TR+/lf9puS70gNJBHighJa8Bo/XlHunNqDF6o3k6GaJqHEg/wXQM
M3AkkojFJCIiezZtnmy9MhvUf9yAW4HDY9fb9CKim5ChT6ItcajSW8VpYRE1I7VV
Gav2tFACckpC33KbRgwEZxOtG6RBW/QPRMdeXWMV/EAHrOw9MnH3wHWCCpwxue86
J7c6YOB1/lVlGvjneP90DXhWDozW1R0i4eoMaDfZM/vWOgft6JtWOXk5W2BBTKpm
h+AOyg1vxsxhCNfazD2B1mUduR7x9Lv4vO6YZTlFFqxtM90qUbIRfZbludGN4gI3
1v7Bwd3MtkNcj9mDfhfENeI5yvl+oc9FQ45ZF6korYt8rDFbDeoJILfN/Ni2hiOz
Jy4rO2m33/lE3mcz9ptWjEaykXgZIuKUnDfYMkSw9x0lv88lotLd1Byt9XdS54al
CP7qD7uS2EluO2dqxFVkvi3jx97+TH18apZ8fUKtcmEemtX33EMlOrE4CeKrQFVY
/QBtlOSphXfoSE/QnFHRCF34KSy4rXzOgF5rWcG4PDKLS/Zh83w6wa8qnksHZUjW
q7awhysrGhyNKSHjWNFkLj8EbKX8cU2STFnH+dMT7jkaPTAcFHc=
=BAll
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWf+omYx+lLeg9Ub1AQibbQ//X5t3W3J3iPnrDZLLI6OQH4BWRRCob8qQ
MGMBfzezZKcZ8KB8oNvuEzp7UQb5QNAy1SINLBlUl35iSLNrZP1jWJS4CRuZs3Dq
nz9xesFbLAwYt0WJ07onVkctXUElA5jeqfKdfHWZDsJlUUlw9EaF2Gyhvcp5k6R3
vx28Md+8U8x/fyh3FMbKfymjF9U65fbk20ocPHxGDvkehGhSv/GoIQ1xdh2vNrap
xEmgDzIEBOQA9lpw+krS0qget+45AuDQcyMZJpqrWBwnU3p56DXwsVlL0m36ieB8
i8NwOtjReaVEGH9j9ItlEHl0BkosQ9XOzqr1TXAF4M00CfUx0FjmmBL+rmrsmNKh
7sbbD5d4zOLuwEP1pI4Jg1YOOhRYiaOXbi0athaV4RoisDxPn10HCtlVzLaIrbb9
Oy7Cl4NAwdUXvtoyebelscJtX/3Mf+ulCetTBYj37kEcce7PG7hZOkWd76dqlZlE
wyBMJXY3rGAZlho4HZWiJzJGmGweQzlqzSHoCV+1hHynMUzvt1WXUBwoYpW1XaH8
KgxxMhhYBDI9Nx6SFDedHgfOUH3CkB2h+wfg5UOuASO4tNAKQ0YHmIAP5nbvhVu9
HVrwqtmdKjABa9FjzHW1gSUop2yqc0mReCIfPrAwhZ+veMooUbqOKqZ1AKC8X0DG
T6ysvFcDsCU=
=vXqG
-----END PGP SIGNATURE-----

« Back to bulletins