{"id":"MGASA-2016-0188","summary":"Updated imagemagick/ruby-rmagic packages fix security vulnerability","details":"It was discovered that ImageMagick did not properly sanitize certain input\nbefore passing it to the delegate functionality. A remote attacker could\ncreate a specially crafted image that, when processed by an application\nusing ImageMagick or an unsuspecting user using the ImageMagick utilities,\nwould lead to arbitrary execution of shell commands with the privileges of\nthe user running the application (CVE-2016-3714).\n\nIt was discovered that certain ImageMagick coders and pseudo-protocols did\nnot properly prevent security sensitive operations when processing\nspecially crafted images. A remote attacker could create a specially\ncrafted image that, when processed by an application using ImageMagick or\nan unsuspecting user using the ImageMagick utilities, would allow the\nattacker to delete, move, or disclose the contents of arbitrary files\n(CVE-2016-3715, CVE-2016-3716, CVE-2016-3717).\n\nA server-side request forgery flaw was discovered in the way ImageMagick\nprocessed certain images. A remote attacker could exploit this flaw to\nmislead an application using ImageMagick or an unsuspecting user using the\nImageMagick utilities into, for example, performing HTTP(S) requests or\nopening FTP sessions via specially crafted images (CVE-2016-3718).\n\nThe imagemagick package has been updated to version 6.9.4-2 to fix these\nissues and several other bugs.\n","modified":"2026-02-04T03:16:42.269424Z","published":"2016-05-20T11:38:30Z","related":["CVE-2016-3714","CVE-2016-3715","CVE-2016-3716","CVE-2016-3717","CVE-2016-3718"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0188.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=18347"},{"type":"REPORT","url":"http://git.imagemagick.org/repos/ImageMagick/blob/dce8f08c7bf7a92c451f45a684ca96434684a69e/ChangeLog"},{"type":"REPORT","url":"https://rhn.redhat.com/errata/RHSA-2016-0726.html"}],"affected":[{"package":{"name":"imagemagick","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/imagemagick?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.9.4.2-0.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0188.json"}},{"package":{"name":"ruby-rmagick","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/ruby-rmagick?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.13.2-21.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0188.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}