ImageMagick Security Issue: CVE-2016-3714

Bug #1578398 reported by Valorie Zimmerman on 2016-05-04
362
This bug affects 19 people
Affects Status Importance Assigned to Milestone
imagemagick (Debian)
Fix Released
Unknown
imagemagick (Ubuntu)
Medium
Seth Arnold
Precise
Medium
Seth Arnold
Trusty
Medium
Seth Arnold
Wily
Medium
Seth Arnold
Xenial
Medium
Seth Arnold
Yakkety
Medium
Seth Arnold

Bug Description

Imagemagick Announce on Discourse: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

https://imagetragick.com headlined: ImageMagick Is On Fire — CVE-2016–3714

It would be great if this can be fixed quickly, to keep Ubuntu users safe.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: imagemagick 8:6.8.9.9-7ubuntu5
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: KDE
Date: Wed May 4 14:28:39 2016
InstallationDate: Installed on 2015-08-11 (267 days ago)
InstallationMedia: It
SourcePackage: imagemagick
UpgradeStatus: Upgraded to xenial on 2016-03-27 (38 days ago)

information type: Private Security → Public Security
Changed in imagemagick (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
Changed in imagemagick (Ubuntu Trusty):
status: New → Confirmed
importance: Undecided → Medium
Changed in imagemagick (Ubuntu Wily):
status: New → Confirmed
importance: Undecided → Medium
Changed in imagemagick (Ubuntu Xenial):
status: New → Confirmed
Changed in imagemagick (Ubuntu Yakkety):
status: New → Confirmed
Changed in imagemagick (Ubuntu Xenial):
importance: Undecided → Medium
Changed in imagemagick (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in imagemagick (Ubuntu Precise):
assignee: nobody → Seth Arnold (seth-arnold)
Changed in imagemagick (Ubuntu Trusty):
assignee: nobody → Seth Arnold (seth-arnold)
Changed in imagemagick (Ubuntu Wily):
assignee: nobody → Seth Arnold (seth-arnold)
Changed in imagemagick (Ubuntu Xenial):
assignee: nobody → Seth Arnold (seth-arnold)
Changed in imagemagick (Ubuntu Yakkety):
assignee: nobody → Seth Arnold (seth-arnold)
Jon Chappell (j00) wrote :

It's a little unclear how this only warrants a severity of "medium" given that it is a full remote code execution exploit with actual weaponized code in the wild.

Seth Arnold (seth-arnold) wrote :

Jon, severity in launchpad is mostly unused. (Maybe some teams use it but I'm not aware of them.) Issues that the Ubuntu Security Team tracks are on the Ubuntu CVE Tracker:

https://people.canonical.com/~ubuntu-security/cve/pkg/imagemagick.html

Now the bad news -- I don't think the upstream developers have understood the issues and prepared meaningful patches. My full critique is at http://www.openwall.com/lists/oss-security/2016/05/03/19 .

Ideally the upstream authors will create patches that do address my concerns (and the concerns raised by the mail.ru security team privately with the upstream authors).

There's some suggestions here for mitigations: https://imagetragick.com/

I recommend testing these mitigations in your environment. I also recommend using AppArmor to confine services that allow users to provide images for ImageMagick manipulation.

Thanks

Sven (muffl0n) wrote :

I allowed myself to change the title of the bug so it's more meaningful and can be found by searching for the CVE-Code.

summary: - ImageMagick Security Issue reported yesterday
+ ImageMagick Security Issue: CVE-2016-3714
Dariusz Gadomski (dgadomski) wrote :

Adding a debdiff for yakkety.
I have updated the policy.xml as recommended to increase the OOB security until the upstream get fixed.

Dariusz Gadomski (dgadomski) wrote :

Adding SRU proposal for Xenial.

Dariusz Gadomski (dgadomski) wrote :

Adding SRU proposal for wily.

Dariusz Gadomski (dgadomski) wrote :

Adding SRU proposal for Trusty.

Dariusz Gadomski (dgadomski) wrote :

Adding SRU proposal for Precise.

The attachment "yakkety_imagemagick_6.8.9.9-7ubuntu7.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Seth Arnold (seth-arnold) wrote :

Dariusz, those debdiffs look good with the exception of the funny filename:
+CVE-2016–3714-workaround.patch

The ImageTragick team used a funny em-dash instead of a hyphen when they gave the name of the CVE on their website, which has led to all kinds of funny "CVE not found" and similar errors -- as well as these funny filenames -- when people copy-and-paste it from their website.

I'm still hopeful for releasing updates at the end of my day on Monday; perhaps these patches would make sense for users who cannot wait any longer.

Thanks

Dariusz Gadomski (dgadomski) wrote :

Adding a debdiff for yakkety.

Dariusz Gadomski (dgadomski) wrote :

Adding SRU proposal for Xenial.

Dariusz Gadomski (dgadomski) wrote :

Adding SRU proposal for Wily.

Dariusz Gadomski (dgadomski) wrote :

Adding SRU proposal for Trusty.

Dariusz Gadomski (dgadomski) wrote :

SRU proposal for Precise.

Dariusz Gadomski (dgadomski) wrote :

Sorry about that Seth. I've just attached fixed debdiffs.

Changed in imagemagick (Debian):
status: Unknown → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs Dariusz! We ended up releasing updates using a bunch of Debian's patches:

http://www.ubuntu.com/usn/usn-2990-1/

I'm closing out this bug, since we're now fixed in all supported releases.

Changed in imagemagick (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in imagemagick (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in imagemagick (Ubuntu Wily):
status: Confirmed → Fix Released
Changed in imagemagick (Ubuntu Xenial):
status: Confirmed → Fix Released
Changed in imagemagick (Ubuntu Yakkety):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.