[Bug 1578398] Re: ImageMagick Security Issue reported yesterday

Seth Arnold 1578398 at bugs.launchpad.net
Fri May 6 03:26:29 UTC 2016 

Jon, severity in launchpad is mostly unused. (Maybe some teams use it
but I'm not aware of them.) Issues that the Ubuntu Security Team tracks
are on the Ubuntu CVE Tracker:

https://people.canonical.com/~ubuntu-security/cve/pkg/imagemagick.html

Now the bad news -- I don't think the upstream developers have
understood the issues and prepared meaningful patches. My full critique
is at http://www.openwall.com/lists/oss-security/2016/05/03/19 .

Ideally the upstream authors will create patches that do address my
concerns (and the concerns raised by the mail.ru security team privately
with the upstream authors).

There's some suggestions here for mitigations: https://imagetragick.com/

I recommend testing these mitigations in your environment. I also
recommend using AppArmor to confine services that allow users to provide
images for ImageMagick manipulation.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1578398

Title:
  ImageMagick Security Issue reported yesterday

Status in imagemagick package in Ubuntu:
  Confirmed
Status in imagemagick source package in Precise:
  Confirmed
Status in imagemagick source package in Trusty:
  Confirmed
Status in imagemagick source package in Wily:
  Confirmed
Status in imagemagick source package in Xenial:
  Confirmed
Status in imagemagick source package in Yakkety:
  Confirmed

Bug description:
  Imagemagick Announce on Discourse: https://www.imagemagick.org
  /discourse-server/viewtopic.php?f=4&t=29588

  https://imagetragick.com headlined: ImageMagick Is On Fire —
  CVE-2016–3714

  It would be great if this can be fixed quickly, to keep Ubuntu users
  safe.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: imagemagick 8:6.8.9.9-7ubuntu5
  ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
  Uname: Linux 4.4.0-21-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CurrentDesktop: KDE
  Date: Wed May  4 14:28:39 2016
  InstallationDate: Installed on 2015-08-11 (267 days ago)
  InstallationMedia: It
  SourcePackage: imagemagick
  UpgradeStatus: Upgraded to xenial on 2016-03-27 (38 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1578398/+subscriptions

More information about the foundations-bugs mailing list