ESB-2018.0023 - [Debian] imagemagick: Multiple vulnerabilities 2018-01-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0023
                        imagemagick security update
                              2 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           imagemagick
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-17879 CVE-2017-17504 CVE-2017-17499
                   CVE-2017-16546 CVE-2017-12877 

Reference:         ESB-2018.0018
                   ESB-2017.3251
                   ESB-2017.2963

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4074

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4074-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 28, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2017-12877 CVE-2017-16546 CVE-2017-17499
                 CVE-2017-17504 CVE-2017-17879

This update fixes several vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising may
result in denial of service, memory disclosure or the execution of
arbitrary code if malformed image files are processed.
		       
For the stable distribution (stretch), these problems have been fixed in
version 8:6.9.7.4+dfsg-11+deb9u4.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlpEuywACgkQEMKTtsN8
TjbwuxAAiW/zPKMTVgI0xjJdVD7FI2R9ycktoba2fCDgqecynw8DEMrpRx3GD1iJ
A+LIHjY7axebsRt0iiOgceXM0mkewXrVWjiLUZzICcq+PkBCzjDa7FC5VJeK7Wc4
gur5CYVbKPOgdCacPEMP3IFwBYp4MjXR/hUmQRWaUMqm+Zwsn8KFKnXRFikDm9f+
ydrcwFQSPXI7bXQbcQv6lIMCjxs4gVRSXOhVzPNMgIAMBIcLoflERViA6tu9CKaF
//C2d1y8pC6cHKhoUupU5Rx/kP+ffUxcn0tIrm1FMCnEJFH/QBdOLaY/4kPD5OTO
BbT15KqzWbqLxFzJKYY9wYbVWnqYKTNHcPz8NsEOM2lqhuzinmicNUvy8kWIVWrW
az5iUycnLffw+Q+MRedFqxUEgQSLxexzqSi2gNgBrorDte26pY0jhA3CRLhsQ0I2
oZ8KcAhGvLQEzhDrU8LzcHR0iL1GFRwKlgZ40vEcT15s0gTGok5RtE7shfYZcQFe
oHDAIRz2eotxaHyoCGYH37yqfelM8VADqSR1or/gqxOBVC+IE+FLGyeuNkEKbHQB
WqGafqrbslL2v1vA6IrYxWZiLcoiHdqIV0Fk3sYDqaDYC6Y491j8JlHYcHmNRmEX
s9YOQx6nr+oIhrAE4a+UVjBoD9+7Atibks794LY7cADXkjFAEu4=
=IIcJ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWksArox+lLeg9Ub1AQiiRw//f4eRY7MDB6vW8LVWd4NBdbq41YmaA1pD
zMa1JqxowKD37RzK53c2s6XZjMfU0Kekqf861pMQ/l5oaTpUYiOSf485pa4pL5ws
hxNL5UddTFzVw+N1CrWdVqFC0Pf6jupZXqSZ74UXJJriBsth6rs/cxzgzWyEQAd/
79THsFViFbqroOABEOVP2bz7pEo64Q+nPNFQjTwcGDlvJdX1ZPrFyFBd5PtncpGS
EWThihz+K/fQgFlbFuzNEugL2uoOXdS2114Ns9w7bpB0lgKcX2EwuLjUtQTe0+vF
B/wHc/AuuQz4oYiCpoHMGvDmPfRL762cDpStPYJDtyxac0dfdcHNJQxGSpI+POXt
RlBkROcVTO7Rk6xgHXUBdwkjNiUk9P5UauPTIc/uNRcXDiJScCb5Xhu66gKWPwKz
3uY9G4KVXGu9osSPNMdE5c9wFwUYJh4s/K8jhG8HX2iYtbKgNYJX5MfMzdE61XJQ
JYrZI4WKkI2A2SnfGtwNyJ6NSLMSGNpzSoTuqj+jUw8kRpWbJUj2Tf3TfUn66iBE
Wu4UZPM5ETV3n+IcI3K8oQXyt6KRZ59HOsEwEsvNV51PLhvfbmkxC80lWBFI+8lP
ewXxiD8j91ymLF4yrwrvsyuFMjY/ziZR+00kp/NNjHpU/bFhZ5zRZbV6FgP1dpmi
Z3VGem3YM/A=
=biI4
-----END PGP SIGNATURE-----

« Back to bulletins