Security update for GraphicsMagick SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:1276-1 Final 1 1 2016-05-11T11:49:10Z current 2016-05-11T11:49:10Z 2016-05-11T11:49:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for GraphicsMagick This update for GraphicsMagick fixes the following issues: - Security update Remote Code Execution / Local File read [bsc#978061] CVE-2016-3714, CVE-2016-3715, CVE-2016-3717, CVE-2016-3718 - CVE-2016-3714: Insufficient shell characters filtering leads to (potentially remote) code execution - CVE-2016-3715: Possible file deletion by using GraphicsMagick's 'tmp:' file specification syntax. - CVE-2016-3717: Possible local file read by using GraphicsMagick's 'txt:' file specification syntax. - CVE-2016-3718: Possible Server Side Request Forgery (SSRF) to make HTTP GET or FTP request. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-GraphicsMagick-12548,slestso13-GraphicsMagick-12548 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20161276-1/ Link for SUSE-SU-2016:1276-1 https://lists.suse.com/pipermail/sle-security-updates/2016-May/002052.html E-Mail link for SUSE-SU-2016:1276-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/978061 SUSE Bug 978061 https://www.suse.com/security/cve/CVE-2016-3714/ SUSE CVE CVE-2016-3714 page https://www.suse.com/security/cve/CVE-2016-3715/ SUSE CVE CVE-2016-3715 page https://www.suse.com/security/cve/CVE-2016-3717/ SUSE CVE CVE-2016-3717 page https://www.suse.com/security/cve/CVE-2016-3718/ SUSE CVE CVE-2016-3718 page SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Studio Onsite 1.3 GraphicsMagick-1.2.5-4.35.1 libGraphicsMagick2-1.2.5-4.35.1 perl-GraphicsMagick-1.2.5-4.35.1 GraphicsMagick-1.2.5-4.35.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libGraphicsMagick2-1.2.5-4.35.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 perl-GraphicsMagick-1.2.5-4.35.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 GraphicsMagick-1.2.5-4.35.1 as a component of SUSE Studio Onsite 1.3 libGraphicsMagick2-1.2.5-4.35.1 as a component of SUSE Studio Onsite 1.3 The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick." CVE-2016-3714 SUSE Linux Enterprise Software Development Kit 11 SP4:GraphicsMagick-1.2.5-4.35.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libGraphicsMagick2-1.2.5-4.35.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-GraphicsMagick-1.2.5-4.35.1 SUSE Studio Onsite 1.3:GraphicsMagick-1.2.5-4.35.1 SUSE Studio Onsite 1.3:libGraphicsMagick2-1.2.5-4.35.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161276-1/ https://www.suse.com/security/cve/CVE-2016-3714.html CVE-2016-3714 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061 https://bugzilla.suse.com/980401 SUSE Bug 980401 https://bugzilla.suse.com/982178 SUSE Bug 982178 The EPHEMERAL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to delete arbitrary files via a crafted image. CVE-2016-3715 SUSE Linux Enterprise Software Development Kit 11 SP4:GraphicsMagick-1.2.5-4.35.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libGraphicsMagick2-1.2.5-4.35.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-GraphicsMagick-1.2.5-4.35.1 SUSE Studio Onsite 1.3:GraphicsMagick-1.2.5-4.35.1 SUSE Studio Onsite 1.3:libGraphicsMagick2-1.2.5-4.35.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161276-1/ https://www.suse.com/security/cve/CVE-2016-3715.html CVE-2016-3715 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061 The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files via a crafted image. CVE-2016-3717 SUSE Linux Enterprise Software Development Kit 11 SP4:GraphicsMagick-1.2.5-4.35.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libGraphicsMagick2-1.2.5-4.35.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-GraphicsMagick-1.2.5-4.35.1 SUSE Studio Onsite 1.3:GraphicsMagick-1.2.5-4.35.1 SUSE Studio Onsite 1.3:libGraphicsMagick2-1.2.5-4.35.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161276-1/ https://www.suse.com/security/cve/CVE-2016-3717.html CVE-2016-3717 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061 The (1) HTTP and (2) FTP coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted image. CVE-2016-3718 SUSE Linux Enterprise Software Development Kit 11 SP4:GraphicsMagick-1.2.5-4.35.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libGraphicsMagick2-1.2.5-4.35.1 SUSE Linux Enterprise Software Development Kit 11 SP4:perl-GraphicsMagick-1.2.5-4.35.1 SUSE Studio Onsite 1.3:GraphicsMagick-1.2.5-4.35.1 SUSE Studio Onsite 1.3:libGraphicsMagick2-1.2.5-4.35.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161276-1/ https://www.suse.com/security/cve/CVE-2016-3718.html CVE-2016-3718 https://bugzilla.suse.com/1000484 SUSE Bug 1000484 https://bugzilla.suse.com/1057163 SUSE Bug 1057163 https://bugzilla.suse.com/1105592 SUSE Bug 1105592 https://bugzilla.suse.com/978061 SUSE Bug 978061