ImageMagick Security Issue: CVE-2016-3714

It's a little unclear how this only warrants a severity of "medium" given that it is a full remote code execution exploit with actual weaponized code in the wild.

Jon, severity in launchpad is mostly unused. (Maybe some teams use it but I'm not aware of them.) Issues that the Ubuntu Security Team tracks are on the Ubuntu CVE Tracker:

https://people.canonical.com/~ubuntu-security/cve/pkg/imagemagick.html

Now the bad news -- I don't think the upstream developers have understood the issues and prepared meaningful patches. My full critique is at http://www.openwall.com/lists/oss-security/2016/05/03/19 .

Ideally the upstream authors will create patches that do address my concerns (and the concerns raised by the mail.ru security team privately with the upstream authors).

There's some suggestions here for mitigations: https://imagetragick.com/

I recommend testing these mitigations in your environment. I also recommend using AppArmor to confine services that allow users to provide images for ImageMagick manipulation.

Thanks

I allowed myself to change the title of the bug so it's more meaningful and can be found by searching for the CVE-Code.

Adding a debdiff for yakkety.
I have updated the policy.xml as recommended to increase the OOB security until the upstream get fixed.

Adding SRU proposal for Xenial.

Adding SRU proposal for wily.

Adding SRU proposal for Trusty.

Adding SRU proposal for Precise.

The attachment "yakkety_imagemagick_6.8.9.9-7ubuntu7.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Dariusz, those debdiffs look good with the exception of the funny filename:
+CVE-2016–3714-workaround.patch

The ImageTragick team used a funny em-dash instead of a hyphen when they gave the name of the CVE on their website, which has led to all kinds of funny "CVE not found" and similar errors -- as well as these funny filenames -- when people copy-and-paste it from their website.

I'm still hopeful for releasing updates at the end of my day on Monday; perhaps these patches would make sense for users who cannot wait any longer.

Thanks

Adding a debdiff for yakkety.

Adding SRU proposal for Xenial.

Adding SRU proposal for Wily.

Adding SRU proposal for Trusty.

SRU proposal for Precise.

Sorry about that Seth. I've just attached fixed debdiffs.

Thanks for the debdiffs Dariusz! We ended up releasing updates using a bunch of Debian's patches:

http://www.ubuntu.com/usn/usn-2990-1/

I'm closing out this bug, since we're now fixed in all supported releases.