ESB-2018.2249 - [Debian] graphicsmagick: Multiple vulnerabilities 2018-08-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2249
                      graphicsmagick security update
                               3 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           graphicsmagick
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-9018 CVE-2018-6799 CVE-2018-5685
                   CVE-2017-18231 CVE-2017-18229 CVE-2017-18220
                   CVE-2017-18219 CVE-2017-16545 CVE-2017-16352
                   CVE-2017-15930 CVE-2017-14997 CVE-2017-14994
                   CVE-2017-14504 CVE-2017-13776 CVE-2017-13775
                   CVE-2017-13737 CVE-2017-12935 CVE-2017-11642
                   CVE-2017-11641 CVE-2017-11637 CVE-2017-11403
                   CVE-2017-11140 CVE-2017-11102 CVE-2017-9098
                   CVE-2017-6335 CVE-2017-1823 CVE-2017-1654
                   CVE-2017-1527 CVE-2017-1377 CVE-2017-1293
                   CVE-2017-1163 CVE-2016-5239 

Reference:         ESB-2018.1883
                   ESB-2018.1828
                   ESB-2018.1787
                   ESB-2018.1748
                   ESB-2018.1671
                   ESB-2018.1542
                   ASB-2017.0219
                   ESB-2018.2183.2

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1456-1

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : graphicsmagick
Version        : 1.3.20-3+deb8u4
CVE ID         : CVE-2016-5239 CVE-2017-6335 CVE-2017-9098 CVE-2017-11102 
                 CVE-2017-11140 CVE-2017-11403 CVE-2017-11637 CVE-2017-11638 
                 CVE-2017-11641 CVE-2017-11642 CVE-2017-12935 CVE-2017-12936 
                 CVE-2017-13737 CVE-2017-13775 CVE-2017-13776 CVE-2017-13777 
                 CVE-2017-14504 CVE-2017-14994 CVE-2017-14997 CVE-2017-15277 
                 CVE-2017-15930 CVE-2017-16352 CVE-2017-16545 CVE-2017-16547 
                 CVE-2017-18219 CVE-2017-18220 CVE-2017-18229 CVE-2017-18230 
                 CVE-2017-18231 CVE-2018-5685 CVE-2018-6799 CVE-2018-9018
Debian Bug     : 867746 870153 870154 870156 870155 872576 872575 878511
                 878578 862967 879999

Various vulnerabilities were discovered in graphicsmagick, a collection
of image processing tools and associated libraries, resulting in denial
of service, information disclosure, and a variety of buffer overflows
and overreads.

For Debian 8 "Jessie", these problems have been fixed in version
1.3.20-3+deb8u4.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW2PUiGaOgq3Tt24GAQi5AQ/6A9KApbeGSTP7plnGasB8DVDzHFO1rYhz
uE5TFGx0uZqSPWjV3Gfq4O/Q71KlMAMHxBKaps7pZvXZYMuCIupv8NekaGGuV5ly
bG5KpyzhaJ5E3MItfAwxaBdFukfxCHj0qyv3QH9oLiSmnDOzsPn6jfdQ4jkSLhsf
bPsDraoN0vak8O/t0i2quOboa6DDQQlfqddSR1EgNzmRKW2Q8iIVA0Njr1RZpoza
GVEGgSRkb07Dy7eXTcd8FOEIPmVQuzBeHolqKPyahZtG5F1yzEOEh7rNlzJ5JRZT
MmEVygMELMbJ3QIo/+30XmmA2OZ95qIP8irAnNtHaN62DjfeE/0vjriTY3S07agc
Mkfv53rEDYquC9nre2Az2Y9CJnEv31Bv07U1cCY1ynNmBkwOHPPjzBNv/Eak4E6v
GwJ76lC1vAlItC9x7ZUGpAhIVumF12nRovDoRIHPFFmH/+awKxPPng4kXtcAK8Xx
+AakBvC0TY85QUUe2LqIwumeWv+1ffIt2rIXijfQ+y1CKK8G10PnNeNWJwvOiWeb
0GCaVQ9OY6cA/jTWqydyuASXGNQuAPFZ2C05mh5gE/K+iKbrFpPkZCY8ZA0/iv4U
+1sAZzMBthtR+1qSq/6sEKCNu2kINKOigFyiarhP9g/BmI1teNW18O1fpYgNULfj
iZb2aLwoMvs=
=1CdX
-----END PGP SIGNATURE-----

« Back to bulletins