1. Ubuntu Security Notices
  2. USN-2990-1

USN-2990-1: ImageMagick vulnerabilities

Publication date

2 June 2016

Overview

Several security issues were fixed in ImageMagick.

Releases

Packages

  • imagemagick - Image manipulation programs and library

Details

Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly
sanitized untrusted input. A remote attacker could use these issues to
execute arbitrary code. These issues are known as “ImageTragick”. This
update disables problematic coders via the /etc/ImageMagick-6/policy.xml
configuration file. In certain environments the coders may need to be
manually re-enabled after making sure that ImageMagick does not process
untrusted input. (CVE-2016-3714, CVE-2016-3715, CVE-2016-3716,
CVE-2016-3717, CVE-2016-3718)

Bob Friesenhahn discovered that ImageMagick allowed injecting commands via
an image file or filename. A remote attacker could use this issue to
execute arbitrary code. (CVE-2016-5118)

Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly
sanitized untrusted input. A remote attacker could use these issues to
execute arbitrary code. These issues are known as “ImageTragick”. This
update disables problematic coders via the /etc/ImageMagick-6/policy.xml
configuration file. In certain environments the coders may need to be
manually re-enabled after making sure that ImageMagick does not process
untrusted input. (CVE-2016-3714, CVE-2016-3715, CVE-2016-3716,
CVE-2016-3717, CVE-2016-3718)

Bob Friesenhahn discovered that ImageMagick allowed injecting commands via
an image file or filename. A remote attacker could use this issue to
execute arbitrary code. (CVE-2016-5118)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
16.04 xenial imagemagick –  8:6.8.9.9-7ubuntu5.1
imagemagick-6.q16 –  8:6.8.9.9-7ubuntu5.1
imagemagick-common –  8:6.8.9.9-7ubuntu5.1
libmagick++-6.q16-5v5 –  8:6.8.9.9-7ubuntu5.1
libmagickcore-6.q16-2 –  8:6.8.9.9-7ubuntu5.1
15.10 wily imagemagick –  8:6.8.9.9-5ubuntu2.1
imagemagick-6.q16 –  8:6.8.9.9-5ubuntu2.1
imagemagick-common –  8:6.8.9.9-5ubuntu2.1
libmagick++-6.q16-5v5 –  8:6.8.9.9-5ubuntu2.1
libmagickcore-6.q16-2 –  8:6.8.9.9-5ubuntu2.1
14.04 trusty imagemagick –  8:6.7.7.10-6ubuntu3.1
imagemagick-common –  8:6.7.7.10-6ubuntu3.1
libmagick++5 –  8:6.7.7.10-6ubuntu3.1
libmagickcore5 –  8:6.7.7.10-6ubuntu3.1
12.04 precise imagemagick –  8:6.6.9.7-5ubuntu3.4
imagemagick-common –  8:6.6.9.7-5ubuntu3.4
libmagick++4 –  8:6.6.9.7-5ubuntu3.4
libmagickcore4 –  8:6.6.9.7-5ubuntu3.4

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›