This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============3215451961752635219== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cDh7xd3lbYCKzJ1OwpxyodPQOftaYd819"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --cDh7xd3lbYCKzJ1OwpxyodPQOftaYd819 Content-Type: multipart/mixed; boundary="FT1RLFcp5wfZckUeD4ya1Pp8Mca3cro8B"; protected-headers="v1" From: Marc Deslauriers <marc.deslauriers@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <21ab98e4-a9a7-a372-f563-3240438800dc@canonical.com> Subject: [USN-4034-1] ImageMagick vulnerabilities
--FT1RLFcp5wfZckUeD4ya1Pp8Mca3cro8B Content-Type: text/plain; charset=utf-8 Content-Language: en-C Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-4034-1 June 25, 2019
imagemagick vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04 - Ubuntu 18.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in ImageMagick.
Software Description: - imagemagick: Image manipulation programs and library
Details:
It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.
Due to a large number of issues discovered in GhostScript that prevent it from being used by ImageMagick safely, the update for Ubuntu 18.10 and Ubuntu 19.04 includes a default policy change that disables support for the Postscript and PDF formats in ImageMagick. This policy can be overridden if necessary by using an alternate ImageMagick policy configuration.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 19.04: imagemagick 8:6.9.10.14+dfsg-7ubuntu2.2 imagemagick-6.q16 8:6.9.10.14+dfsg-7ubuntu2.2 libmagick++-6.q16-8 8:6.9.10.14+dfsg-7ubuntu2.2 libmagickcore-6.q16-6 8:6.9.10.14+dfsg-7ubuntu2.2 libmagickcore-6.q16-6-extra 8:6.9.10.14+dfsg-7ubuntu2.2
Ubuntu 18.10: imagemagick 8:6.9.10.8+dfsg-1ubuntu2.2 imagemagick-6.q16 8:6.9.10.8+dfsg-1ubuntu2.2 libmagick++-6.q16-8 8:6.9.10.8+dfsg-1ubuntu2.2 libmagickcore-6.q16-6 8:6.9.10.8+dfsg-1ubuntu2.2 libmagickcore-6.q16-6-extra 8:6.9.10.8+dfsg-1ubuntu2.2
Ubuntu 18.04 LTS: imagemagick 8:6.9.7.4+dfsg-16ubuntu6.7 imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.7 libmagick++-6.q16-7 8:6.9.7.4+dfsg-16ubuntu6.7 libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.7 libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-16ubuntu6.7
Ubuntu 16.04 LTS: imagemagick 8:6.8.9.9-7ubuntu5.14 imagemagick-6.q16 8:6.8.9.9-7ubuntu5.14 libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.14 libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.14 libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.14
In general, a standard system update will make all the necessary changes.
References: https://usn.ubuntu.com/4034-1 CVE-2017-12805, CVE-2017-12806, CVE-2018-14434, CVE-2018-15607, CVE-2018-16323, CVE-2018-16412, CVE-2018-16413, CVE-2018-16644, CVE-2018-16645, CVE-2018-17965, CVE-2018-17966, CVE-2018-18016, CVE-2018-18023, CVE-2018-18024, CVE-2018-18025, CVE-2018-18544, CVE-2018-20467, CVE-2019-10131, CVE-2019-10649, CVE-2019-10650, CVE-2019-11470, CVE-2019-11472, CVE-2019-11597, CVE-2019-11598, CVE-2019-7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, CVE-2019-9956
Package Information: https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.14+dfsg-7ubuntu2.2 https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.8+dfsg-1ubuntu2.2 https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-16ubuntu6.7 https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.14
--FT1RLFcp5wfZckUeD4ya1Pp8Mca3cro8B--
--cDh7xd3lbYCKzJ1OwpxyodPQOftaYd819 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl0SJIkACgkQZWnYVadE vpOBjBAAotlbPkuuuvzmzYU/FU3sTS2ogJ2S3i+Zw3nWDyJH41rRw1/kI0+smyyu vGg1AkvfMllHAAPm8yj1gCI1BJlCubpQsajNQGRY/zwjOHO+c7acru9vfdD7vA+E Kjz+10/oSwD8cQs+Qc/IIel2+dyhvTNmnxXf5bd1DK6L0dMU+7dnQmKA1kirax3E bLI4ZK6FPm9EWa2h351Oy+oVoummPmA21kMksHtymBy3yqlyVluvkDhceqCKSRCR EMYbYe1o11ZlR27td3oBbP0RiA6loVJ3EW6Md1GjCbQSzoXySi8c6fxSqQpbij90 0ssoFdQiAM5vFTTyhZDcy7QYN0h5DQGrvG4myM16Nv+IjRG2mBd2kGTmv5kCvx9c K+VersNRM1WHJkCNOLELehSefl42UPGYSb720k6k83lJruvQwFbjpljFSsfJPNEr XM9PhZZJUrImnxczBQRVG6T29O853a7AKL439Tb8l1znpfK12djzPxsZmkPn315q NHLyk3YWJwsxYgtz2xdlWQASCv3yc6MtoNVGsewOA6SOjwfZaVj3NEztk6UEMVyx YxziRKBMDPbEKDtLQ+EG+tYb0/RB83U+J7fqUm5eM2RzqOZUKyy5BeDtvYlkK6qs sjz5+c0DaJ+4afZDAsz57olz2UoE7ok5V/Cfe0SmGXpqPlClJjI= =njY5 -----END PGP SIGNATURE-----
--cDh7xd3lbYCKzJ1OwpxyodPQOftaYd819--
--===============3215451961752635219== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5 LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj dXJpdHktYW5ub3VuY2UK
--===============3215451961752635219==--
|