http://git.imagemagick.org/repos/ImageMagick/commit/c20de102cc57f3739a8870f79e728e3b0bea18c0

https://bugzilla.redhat.com/show_bug.cgi?id=1354500

GLSA-201611-21

Many security fixes, bug fixes, and other changes from the previous version 6.9.3.0. See the [6.9 branch ChangeLog](https://github.com/ImageMagick/ImageMagick/blob/3fd358e2ac3 4977fda38a2cf4d88a1cb4dd2d7c7/ChangeLog).

Dependent packages are mostly straight rebuilds, a couple also include bugfix version updates.

----

rhbz#1490649 - emacs-25.3 is available

rhbz#1490410 - unsafe enriched mode translations (security)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Many security fixes, bug fixes, and other changes from the previous version 6.9.3.0. See the [6.9 branch ChangeLog](https://github.com/ImageMagick/ImageMagick/blob/3fd358e2ac3 4977fda38a2cf4d88a1cb4dd2d7c7/ChangeLog).

Dependent packages are mostly straight rebuilds, a couple also include bugfix version updates.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ImageMagick packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - coders/dds.c in ImageMagick before 6.9.0-4 Beta allows     remote attackers to cause a denial of service (CPU     consumption) via a crafted DDS file.(CVE-2015-8959)

  - coders/tiff.c in ImageMagick before 6.9.5-3 allows     remote attackers to cause a denial of service     (out-of-bounds read) via a crafted TIFF     file.(CVE-2016-5010)

  - The ReadPSDImage function in MagickCore/locale.c in     ImageMagick allows remote attackers to cause a denial     of service (out-of-bounds read) via a crafted PSD     file.(CVE-2016-7522)

  - coders/psd.c in ImageMagick allows remote attackers to     cause a denial of service (out-of-bounds read) via a     crafted PSD file.(CVE-2016-7532)

  - coders/psd.c in ImageMagick allows remote attackers to     cause a denial of service (out-of-bounds write) via a     crafted PSD file.(CVE-2016-7535)

  - MagickCore/memory.c in ImageMagick allows remote     attackers to cause a denial of service (out-of-bounds     access) via a crafted PDB file.(CVE-2016-7537)

  - coders/psd.c in ImageMagick allows remote attackers to     cause a denial of service (out-of-bounds write) via a     crafted file.(CVE-2016-7538)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ImageMagick packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - coders/dds.c in ImageMagick before 6.9.0-4 Beta allows     remote attackers to cause a denial of service (CPU     consumption) via a crafted DDS file.(CVE-2015-8959)

  - coders/tiff.c in ImageMagick before 6.9.5-3 allows     remote attackers to cause a denial of service     (out-of-bounds read) via a crafted TIFF     file.(CVE-2016-5010)

  - The ReadPSDImage function in MagickCore/locale.c in     ImageMagick allows remote attackers to cause a denial     of service (out-of-bounds read) via a crafted PSD     file.(CVE-2016-7522)

  - coders/psd.c in ImageMagick allows remote attackers to     cause a denial of service (out-of-bounds write) via a     crafted PSD file.(CVE-2016-7535)

  - MagickCore/memory.c in ImageMagick allows remote     attackers to cause a denial of service (out-of-bounds     access) via a crafted PDB file.(CVE-2016-7537)

  - coders/psd.c in ImageMagick allows remote attackers to     cause a denial of service (out-of-bounds write) via a     crafted file.(CVE-2016-7538)

  - coders/psd.c in ImageMagick allows remote attackers to     cause a denial of service (out-of-bounds read) via a     crafted PSD file.(CVE-2016-7532)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201611-21 (ImageMagick: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ImageMagick.  Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - security update :

  - CVE-2016-6520: buffer overflow [bsc#991872]

  - CVE-2016-5010: Out-of-bounds read in CopyMagickMemory     [bsc#991444]

  - CVE-2016-6491: Out-of-bounds read when processing     crafted tiff files [bsc#991445]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This updates fixes many vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service or the execution of arbitrary code if malformed TIFF, WPG, RLE, RAW, PSD, Sun, PICT, VIFF, HDR, Meta, Quantum, PDB, DDS, DCM, EXIF, RGF or BMP files are processed.

This update for ImageMagick fixes the following issues :

  - security update :

  - CVE-2016-6520: buffer overflow [bsc#991872]

  - CVE-2016-5010: Out-of-bounds read in CopyMagickMemory     [bsc#991444]

  - CVE-2016-6491: Out-of-bounds read when processing     crafted tiff files [bsc#991445]

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - security update :

  - CVE-2016-6520: buffer overflow [bsc#991872]

  - CVE-2016-5010: Out-of-bounds read in CopyMagickMemory     [bsc#991444]

  - CVE-2016-6491: Out-of-bounds read when processing     crafted tiff files [bsc#991445]

ID	Name	Product	Family	Severity
103333	Fedora 25 : 1:emacs / ImageMagick / WindowMaker / autotrace / converseen / etc (2017-3a568adb31)	Nessus	Fedora Local Security Checks	high
103314	Fedora 26 : 1:emacs / ImageMagick / WindowMaker / autotrace / converseen / etc (2017-8f27031c8f)	Nessus	Fedora Local Security Checks	high
101849	EulerOS 2.0 SP1 : ImageMagick (EulerOS-SA-2017-1116)	Nessus	Huawei Local Security Checks	high
100814	EulerOS 2.0 SP2 : ImageMagick (EulerOS-SA-2017-1112)	Nessus	Huawei Local Security Checks	high
95420	GLSA-201611-21 : ImageMagick: Multiple vulnerabilities (ImageTragick)	Nessus	Gentoo Local Security Checks	critical
95053	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : imagemagick vulnerabilities (USN-3131-1)	Nessus	Ubuntu Local Security Checks	high
93291	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2016:2076-1)	Nessus	SuSE Local Security Checks	medium
93115	Debian DSA-3652-1 : imagemagick - security update	Nessus	Debian Local Security Checks	high
93105	openSUSE Security Update : ImageMagick (openSUSE-2016-1016)	Nessus	SuSE Local Security Checks	medium
92980	openSUSE Security Update : ImageMagick (openSUSE-2016-983)	Nessus	SuSE Local Security Checks	medium

CVE-2016-5010

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins