This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3215451961752635219==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="cDh7xd3lbYCKzJ1OwpxyodPQOftaYd819"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--cDh7xd3lbYCKzJ1OwpxyodPQOftaYd819
Content-Type: multipart/mixed;
boundary="FT1RLFcp5wfZckUeD4ya1Pp8Mca3cro8B";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <21ab98e4-a9a7-a372-f563-3240438800dc@canonical.com>
Subject: [USN-4034-1] ImageMagick vulnerabilities
--FT1RLFcp5wfZckUeD4ya1Pp8Mca3cro8B
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable
==========================================================================
Ubuntu Security Notice USN-4034-1
June 25, 2019
imagemagick vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in ImageMagick.
Software Description:
- imagemagick: Image manipulation programs and library
Details:
It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.
Due to a large number of issues discovered in GhostScript that prevent it
from being used by ImageMagick safely, the update for Ubuntu 18.10 and
Ubuntu 19.04 includes a default policy change that disables support for the
Postscript and PDF formats in ImageMagick. This policy can be overridden if
necessary by using an alternate ImageMagick policy configuration.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
imagemagick 8:6.9.10.14+dfsg-7ubuntu2.2
imagemagick-6.q16 8:6.9.10.14+dfsg-7ubuntu2.2
libmagick++-6.q16-8 8:6.9.10.14+dfsg-7ubuntu2.2
libmagickcore-6.q16-6 8:6.9.10.14+dfsg-7ubuntu2.2
libmagickcore-6.q16-6-extra 8:6.9.10.14+dfsg-7ubuntu2.2
Ubuntu 18.10:
imagemagick 8:6.9.10.8+dfsg-1ubuntu2.2
imagemagick-6.q16 8:6.9.10.8+dfsg-1ubuntu2.2
libmagick++-6.q16-8 8:6.9.10.8+dfsg-1ubuntu2.2
libmagickcore-6.q16-6 8:6.9.10.8+dfsg-1ubuntu2.2
libmagickcore-6.q16-6-extra 8:6.9.10.8+dfsg-1ubuntu2.2
Ubuntu 18.04 LTS:
imagemagick 8:6.9.7.4+dfsg-16ubuntu6.7
imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.7
libmagick++-6.q16-7 8:6.9.7.4+dfsg-16ubuntu6.7
libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.7
libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-16ubuntu6.7
Ubuntu 16.04 LTS:
imagemagick 8:6.8.9.9-7ubuntu5.14
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.14
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.14
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.14
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.14
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4034-1
CVE-2017-12805, CVE-2017-12806, CVE-2018-14434, CVE-2018-15607,
CVE-2018-16323, CVE-2018-16412, CVE-2018-16413, CVE-2018-16644,
CVE-2018-16645, CVE-2018-17965, CVE-2018-17966, CVE-2018-18016,
CVE-2018-18023, CVE-2018-18024, CVE-2018-18025, CVE-2018-18544,
CVE-2018-20467, CVE-2019-10131, CVE-2019-10649, CVE-2019-10650,
CVE-2019-11470, CVE-2019-11472, CVE-2019-11597, CVE-2019-11598,
CVE-2019-7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397,
CVE-2019-7398, CVE-2019-9956
Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.14+dfsg-7ubuntu2.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.8+dfsg-1ubuntu2.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-16ubuntu6.7
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.14
--FT1RLFcp5wfZckUeD4ya1Pp8Mca3cro8B--
--cDh7xd3lbYCKzJ1OwpxyodPQOftaYd819
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl0SJIkACgkQZWnYVadE
vpOBjBAAotlbPkuuuvzmzYU/FU3sTS2ogJ2S3i+Zw3nWDyJH41rRw1/kI0+smyyu
vGg1AkvfMllHAAPm8yj1gCI1BJlCubpQsajNQGRY/zwjOHO+c7acru9vfdD7vA+E
Kjz+10/oSwD8cQs+Qc/IIel2+dyhvTNmnxXf5bd1DK6L0dMU+7dnQmKA1kirax3E
bLI4ZK6FPm9EWa2h351Oy+oVoummPmA21kMksHtymBy3yqlyVluvkDhceqCKSRCR
EMYbYe1o11ZlR27td3oBbP0RiA6loVJ3EW6Md1GjCbQSzoXySi8c6fxSqQpbij90
0ssoFdQiAM5vFTTyhZDcy7QYN0h5DQGrvG4myM16Nv+IjRG2mBd2kGTmv5kCvx9c
K+VersNRM1WHJkCNOLELehSefl42UPGYSb720k6k83lJruvQwFbjpljFSsfJPNEr
XM9PhZZJUrImnxczBQRVG6T29O853a7AKL439Tb8l1znpfK12djzPxsZmkPn315q
NHLyk3YWJwsxYgtz2xdlWQASCv3yc6MtoNVGsewOA6SOjwfZaVj3NEztk6UEMVyx
YxziRKBMDPbEKDtLQ+EG+tYb0/RB83U+J7fqUm5eM2RzqOZUKyy5BeDtvYlkK6qs
sjz5+c0DaJ+4afZDAsz57olz2UoE7ok5V/Cfe0SmGXpqPlClJjI=
=njY5
-----END PGP SIGNATURE-----
--cDh7xd3lbYCKzJ1OwpxyodPQOftaYd819--
--===============3215451961752635219==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK
--===============3215451961752635219==--
|
