Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 581990 (CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718, CVE-2016–3714) - <media-gfx/imagemagick-6.9.4.1: Multiple vulnerabilities (CVE-2016-{3714,3715,3716,3717,3718})
Summary: <media-gfx/imagemagick-6.9.4.1: Multiple vulnerabilities (CVE-2016-{3714,3715...
Status: RESOLVED FIXED
Alias: CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718, CVE-2016–3714
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://imagetragick.com
Whiteboard: B2 [glsa cve cleanup]
Keywords:
: 582898 (view as bug list)
Depends on: CVE-2016-7906
Blocks:
  Show dependency tree
 
Reported: 2016-05-03 17:53 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-11-30 21:45 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-05-03 17:53:24 UTC
A vulnerability was found in ImageMagick. Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats.

ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate's command is used to handle https requests:

"wget" -q -O "%o" "https:%M"

where %M is the actual link from the input. It is possible to pass the value like `https://example.com"|ls "-la` and execute unexpected 'ls -la'. (wget or curl should be installed).
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-05-03 17:56:48 UTC
From https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726:
We have secured these coders in ImageMagick 7.0.1-1 and 6.9.3-10 (available by this weekend) by sanitizing the HTTPS parameters and preventing indirect reads with this policy:
Comment 2 Alexander Bezrukov 2016-05-04 07:48:00 UTC
URL with vulnerability description has changed to https://imagetragick.com/
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-05-08 16:45:03 UTC
commit 426d2eb612ee209348a5cf520bbb0d1b8e0e12b7
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu May 5 10:49:27 2016

    media-gfx/imagemagick: Bump to versions 6.9.3.10 and 7.0.1.1

    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 4 Hanno Böck gentoo-dev 2016-05-11 10:23:24 UTC
I'm not fully familiar with all the imagetragick details, but the imagemagick changelog says this for 7.0.1-3 and 6.9.4-1:
Remove https delegate.

So we should probably bump to them. (also 7.0.1-2 and 6.9.4-0 fix two issues I discovered with fuzzing)
Comment 5 Ferdinand Kuhl 2016-05-13 08:57:26 UTC
*** Bug 582898 has been marked as a duplicate of this bug. ***
Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-05-15 21:40:23 UTC
commit bf1360d003a494888c306a9b8ae00452861d13f9
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sun May 15 23:38:41 2016

    media-gfx/imagemagick: Bump to version 6.9.4.1
    
    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 7 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-05-19 08:19:20 UTC
Oh guys, come on! You cannot initiate stabilization process on your own?

Arches please test and mark stable =media-gfx/imagemagick-6.9.4.1 with target KEYWORDS:

alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-20 09:25:01 UTC
Stable for HPPA PPC64.
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-20 19:56:54 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2016-05-21 08:00:38 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-05-25 09:49:08 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-05-25 11:25:46 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-07-08 07:57:39 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-07-08 10:06:10 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-07-08 12:05:32 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 16 Markus Meier gentoo-dev 2016-07-10 09:01:48 UTC
(In reply to Agostino Sarubbo from comment #15)
> ia64 stable.
> 
> Maintainer(s), please cleanup.

done.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-07-11 04:51:34 UTC
CVE-2016-3718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3718):
  The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x
  before 7.0.1-1 allow remote attackers to conduct server-side request forgery
  (SSRF) attacks via a crafted image.

CVE-2016-3717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3717):
  The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows
  remote attackers to read arbitrary files via a crafted image.

CVE-2016-3716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3716):
  The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows
  remote attackers to move arbitrary files via a crafted image.

CVE-2016-3715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3715):
  The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1
  allows remote attackers to delete arbitrary files via a crafted image.

CVE-2016-3714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3714):
  The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN,
  and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1
  allow remote attackers to execute arbitrary code via shell metacharacters in
  a crafted image, aka "ImageTragick."
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:45:00 UTC
This issue was resolved and addressed in
 GLSA 201611-21 at https://security.gentoo.org/glsa/201611-21
by GLSA coordinator Aaron Bauman (b-man).