ImageMagick File Processing vulnerabilities and Input validation error

Posted on Posted in Uncategorized

Decription: Several vulnerabilities were reported in ImageMagick. A remote user can cause arbitrary commands to be executed on the target user's system. A remote user can read, move, and delete arbitrary files on the target system.

The software does not properly filter parameters processed by the delegate command. A remote user can create a specially crafted image file that, when processed by the target application using ImageMagick, will trigger an input validation flaw and execute arbitrary shell commands on the target system [CVE-2016-3714]. The code will run with the privileges of the target application.

Affected versions: prior to versions 6.9.3-10, 7.0.1-1
Recommended action:The vendor plans to issue a fix (6.9.3-10, 7.0.1-1).

The vendor has described a 'policy.xml' configuration as a workaround in their advisory.

The vendor's advisory is available at: https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

Origin URLs:

  1. https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
  2. http://securitytracker.com/id/1035742

Leave a Reply

Your email address will not be published. Required fields are marked *