Decription: Several vulnerabilities were reported in ImageMagick. A remote user can cause arbitrary commands to be executed on the target user's system. A remote user can read, move, and delete arbitrary files on the target system.
The software does not properly filter parameters processed by the delegate command. A remote user can create a specially crafted image file that, when processed by the target application using ImageMagick, will trigger an input validation flaw and execute arbitrary shell commands on the target system [CVE-2016-3714]. The code will run with the privileges of the target application.
Affected versions: prior to versions 6.9.3-10, 7.0.1-1
Recommended action:The vendor plans to issue a fix (6.9.3-10, 7.0.1-1).
The vendor has described a 'policy.xml' configuration as a workaround in their advisory.
The vendor's advisory is available at: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588