Comment 3 for bug 1578398

Jon, severity in launchpad is mostly unused. (Maybe some teams use it but I'm not aware of them.) Issues that the Ubuntu Security Team tracks are on the Ubuntu CVE Tracker:

https://people.canonical.com/~ubuntu-security/cve/pkg/imagemagick.html

Now the bad news -- I don't think the upstream developers have understood the issues and prepared meaningful patches. My full critique is at http://www.openwall.com/lists/oss-security/2016/05/03/19 .

Ideally the upstream authors will create patches that do address my concerns (and the concerns raised by the mail.ru security team privately with the upstream authors).

There's some suggestions here for mitigations: https://imagetragick.com/

I recommend testing these mitigations in your environment. I also recommend using AppArmor to confine services that allow users to provide images for ImageMagick manipulation.

Thanks