Re: [SECURITY] [DSA 3652-1] imagemagick security update

[James Hill]

Imagemagick sucks... thanks for looking into this!

> On Aug 25, 2016, at 1:53 PM, Moritz Muehlenhoff <j...@debian.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3652-1                   secur...@debian.org
> https://www.debian.org/security/                       Moritz Muehlenhoff
> August 25, 2016                       https://www.debian.org/security/faq
> - -------------------------------------------------------------------------
> 
> Package        : imagemagick
> CVE ID         : CVE-2016-4562 CVE-2016-4563 CVE-2016-4564 CVE-2016-5010 
>                 CVE-2016-5687 CVE-2016-5688 CVE-2016-5689 CVE-2016-5690
>                 CVE-2016-5691 CVE-2016-5841 CVE-2016-5842 CVE-2016-6491
> Debian Bugs    : 832885 832887 832888 832968 833003 832474 832475 832464
>                 832465 832467 832457 832461 832469 832482 832483 832504
>                 832633 832776 832780 832787 832789 823750 832455 832478
>                 832480 832506 832785 832793 832942 832944 832890 833044
>                 833043 833042 831034 833099 833101 827643 833812 833744
>                 833743 833735 833732 833730 834183 834501 834163 834504
> 
> This updates fixes many vulnerabilities in imagemagick: Various memory
> handling problems and cases of missing or incomplete input sanitising
> may result in denial of service or the execution of arbitrary code if
> malformed TIFF, WPG, RLE, RAW, PSD, Sun, PICT, VIFF, HDR, Meta, Quantum,
> PDB, DDS, DCM, EXIF, RGF or BMP files are processed.
> 
> For the stable distribution (jessie), these problems have been fixed in
> version 8:6.8.9.9-5+deb8u4.
> 
> For the unstable distribution (sid), these problems will be fixed soon.
> 
> We recommend that you upgrade your imagemagick packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
> 
> Mailing list: debian-security-annou...@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBAgAGBQJXv1pNAAoJEBDCk7bDfE42cskP/0HsHR3ttFJ8rn8a7Mbwc8tu
> 359/a6zFrNVbBY29WbvtMlmJ4qY8J81OrkMHNVzXsUWlNgFOnNovuMGp2P+T+D8x
> 3MKZ1ZNUrhbylljknZw/Gp2nZYVWTQuYBZEmk3x/sFfEx3DsyViNltReXUXX87h2
> 8WAo0qGbAGzAyeQ19JJ/WDCKVM4e61O7TQkss4NY1f1u610j3lG1JzygYUATdcJw
> G9E/W2llw/H9owNK7CtV6y/sL8VfSf/KnYL3erl7M6CzyaJfMLVRaJzbolHlkmW6
> oMZxkD3BQBSk1zf2S6LJSYjez6ipbSNpTUuE1U3LS/Yqu3gdQ96m9qhDJgXpLBcj
> mKDWekjH4Ep5gDS44AhxpvHu305j1/2mMl/9H3gzFe1MLKMQpSQRfPihd++apUmM
> XofTqtjl0L4OdFgHj2M9ZeYnNP0EJQ89Yuyq7fERslFj1ip5Tf4bEAO39kmoNghY
> 9DzSLKGlOyfBqyGahOaYSftuxkb3gmZqtho7bw0IGCifa3byuvij6ifmL4Y65q5G
> Xlck5nIzMGuTadIWFQqYY7w02VVFFtX9MD2FyBfaCgV6rKkr6Nq693kWFNatwcvs
> 1HamncspoVM5BvKdmvykzqDxplWvZ9KpAbdz+QqyXW9P2cy7y/oMGTtSGvddsE7e
> c7Kswhp7uQOl6KtfEJce
> =jZ5n
> -----END PGP SIGNATURE-----
>