Operating System:

[Debian]

Published:

08 October 2019

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2019.3752 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3752
                     ruby-mini-magick security update
                              8 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ruby-mini-magick
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-13574  

Reference:         ESB-2019.2631
                   ESB-2019.2607

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/10/msg00007.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : ruby-mini-magick
Version        : 3.8.1-1+deb8u1
CVE ID         : CVE-2019-13574
Debian Bug     : 931932


In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote
image filename could cause remote command execution because Image.open
input is directly passed to Kernel#open, which accepts a '|' character
followed by a command.

For Debian 8 "Jessie", this problem has been fixed in version
3.8.1-1+deb8u1.

We recommend that you upgrade your ruby-mini-magick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl2bHiYACgkQhj1N8u2c
KO9suw//QH6KVmBZ2JpUUEWpvscKkGdKwf7/HClsm819enQ2gC9ntVwzArSVNtHO
QW0lTlPU+akocop3qqZPS1YJsCmHECLT2soGdtAitUTpPleU7lVNdvcCrHznYybl
2dnQTINRoRlN0GWwjtez/HqdmfOUnIRDjcax7FzvnagCHn/ivh36uZWvffDRMqIK
wnS0Oks3LMYmgfQIADKrn3hpS5vin24PbhZawjxLocFfixpt6gOoba4GxKTBgwGh
tVKgYB7xiOpDdaUOQs8jtrG96xhRcPFE+BfSwVxh3dnmdMDCSvGgRRf7w1Hs0BfC
RLZcGip7XsMaUJf1z9i8RS/hLxo+eOJ619e+R6oUE1F/aJrfAKQn9oAmtLjbHz6Z
PeXeSHA7Md8Z+6aupjAUrPzIGXxPGxatVZCl/oPxOPwoeusKHXmyLJwH2GQBmKcW
wVg5eLfUV7O2s7d3286dQEW1KexeBMAvf79XrysoxCHCGqfoRSUjcJefufJgWhp+
M+un4ZKfWFWZmV9FiIgNQD2M8ygAD+VkzBLDRyAK8njVmMZmfPnKwAoDsIrSPRpd
5VXEo355OWDTrJVF+liVogere0Xf8w/TzdrF/hXL7A67TL2L7bahhKoU9lFHUL5X
7II6KtzI7MiBAmwF3ykvgcQYfWkyPX1F4kc3kYBTz23ASV33O+w=
=HnaL
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXZvboGaOgq3Tt24GAQihaA//bJfZffESmZGiveXiINaRnyZL+/5KaU6u
0PbPxuLp9W2qEob0loP4oWXMeYE76Da62yu5eRr/8MQbVDplk6MPHQoLoBuhtQ/o
UnseIIF58CyKkqSV6d1lv2x4VRlpoORhS/aFzSuaWVL9+N3ElAzSzNjaUdBL/vaA
FZV7gj0EhRCLVoMPqdt3MDqvK5kP8w925dKb0ILPEk0iKc5/OJohTCstiZxDe/L7
SMZREpUlkz1JJ7QBLYnFTYHCPxx4kiepdo5Caw/LXeVP/5WhRgGvfT502QwxZA0E
5JdBQXsnECc7xdofnTfcyj7VrtJhkvq4ROIHHu7A6yN9f49F4Dyc03sqBEKWuXpY
KB4XwaiNiHM3fQCfn4UukgzHzG70AJROV4280rx+pjbJx5zTYjU7tw/IOfTlflg2
APH2RFdEDexnV2sfr/w+J7/2bx61Z7nyTkWrhlINxJBycXagHWKLaCSRvBOrdJSq
wj2Uci9ngTo3DLK63roslGEGxfhNDb+7p8a6W7/wNuC/cwBEiBgW7YmtGxeAJa1S
FufaAaGbqnhkHgFwI9aKtMy0q7H4wwCIUteR7e9DL/60USDUkS6tds8dG3N12R61
hO10ooj3T5uTXsuDLMsh/qU6gjGFgx5xjme1CN2voGPImhoS7mRaRJblpaaxgOCA
n3voEtjPsOc=
=U8+v
-----END PGP SIGNATURE-----