A vulnerability was found in ImageMagick. Insufficient filtering for filename passed to delegate's command allows remote code execution during conversion of several file formats. ImageMagick allows to process files with external libraries. This feature is called 'delegate'. It is implemented as a system() with command string ('command') from the config file delegates.xml with actual value for different params (input/output filenames etc). Due to insufficient %M param filtering it is possible to conduct shell command injection. One of the default delegate's command is used to handle https requests: "wget" -q -O "%o" "https:%M" where %M is the actual link from the input. It is possible to pass the value like `https://example.com"|ls "-la` and execute unexpected 'ls -la'. (wget or curl should be installed).
From https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588#p132726: We have secured these coders in ImageMagick 7.0.1-1 and 6.9.3-10 (available by this weekend) by sanitizing the HTTPS parameters and preventing indirect reads with this policy:
URL with vulnerability description has changed to https://imagetragick.com/
commit 426d2eb612ee209348a5cf520bbb0d1b8e0e12b7 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Thu May 5 10:49:27 2016 media-gfx/imagemagick: Bump to versions 6.9.3.10 and 7.0.1.1 Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
I'm not fully familiar with all the imagetragick details, but the imagemagick changelog says this for 7.0.1-3 and 6.9.4-1: Remove https delegate. So we should probably bump to them. (also 7.0.1-2 and 6.9.4-0 fix two issues I discovered with fuzzing)
*** Bug 582898 has been marked as a duplicate of this bug. ***
commit bf1360d003a494888c306a9b8ae00452861d13f9 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun May 15 23:38:41 2016 media-gfx/imagemagick: Bump to version 6.9.4.1 Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Oh guys, come on! You cannot initiate stabilization process on your own? Arches please test and mark stable =media-gfx/imagemagick-6.9.4.1 with target KEYWORDS: alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris
Stable for HPPA PPC64.
Stable on alpha.
arm stable
amd64 stable
x86 stable
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup.
(In reply to Agostino Sarubbo from comment #15) > ia64 stable. > > Maintainer(s), please cleanup. done.
CVE-2016-3718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3718): The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. CVE-2016-3717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3717): The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image. CVE-2016-3716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3716): The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image. CVE-2016-3715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3715): The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. CVE-2016-3714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3714): The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."
This issue was resolved and addressed in GLSA 201611-21 at https://security.gentoo.org/glsa/201611-21 by GLSA coordinator Aaron Bauman (b-man).