Test ID:	1.3.6.1.4.1.25623.1.1.1.2.2016.484
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-484-1)
Summary:	The remote host is missing an update for the Debian 'graphicsmagick' package(s) announced via the DLA-484-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'graphicsmagick' package(s) announced via the DLA-484-1 advisory. Vulnerability Insight: Several security vulnerabilities were discovered in graphicsmagick a tool to manipulate image files. GraphicsMagick is a fork of ImageMagick and also affected by vulnerabilities collectively known as ImageTragick, that are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714), make HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move (CVE-2016-3716), or read (CVE-2016-3717), local files. To address these concerns the following changes have been made: Remove automatic detection/execution of MVG based on file header or file extension. Remove the ability to cause an input file to be deleted based on a filename specification. Improve the safety of delegates.mgk by removing gnuplot support, removing manual page support, and by adding -dSAFER to all ghostscript invocations. Sanity check the MVG image primitive filename argument to assure that 'magick:' prefix strings will not be interpreted. Please note that this patch will break intentional uses of magick prefix strings in MVG and so some MVG scripts may fail. We will search for a more flexible solution. In addition the following issues have been fixed: CVE-2015-8808 Assure that GIF decoder does not use unitialized data and cause an out-of-bound read. CVE-2016-2317 and CVE-2016-2318 Vulnerabilities that allow to read or write outside memory bounds (heap, stack) as well as some null-pointer derreferences to cause a denial of service when parsing SVG files. For Debian 7 Wheezy, these problems have been fixed in version 1.3.16-1.1+deb7u1. We recommend that you upgrade your graphicsmagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references] Affected Software/OS: 'graphicsmagick' package(s) on Debian 7. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-8808 BugTraq ID: 83058 http://www.securityfocus.com/bid/83058 Debian Security Information: DSA-3746 (Google Search) http://www.debian.org/security/2016/dsa-3746 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177834.html http://marc.info/?l=graphicsmagick-commit&m=142283721604323&w=2 http://www.openwall.com/lists/oss-security/2016/02/06/1 http://www.openwall.com/lists/oss-security/2016/02/06/3 SuSE Security Announcement: SUSE-SU-2016:1614 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00032.html Common Vulnerability Exposure (CVE) ID: CVE-2016-2317 BugTraq ID: 83241 http://www.securityfocus.com/bid/83241 http://www.openwall.com/lists/oss-security/2016/02/11/6 http://www.openwall.com/lists/oss-security/2016/05/20/4 http://www.openwall.com/lists/oss-security/2016/05/27/4 http://www.openwall.com/lists/oss-security/2016/05/31/3 http://www.openwall.com/lists/oss-security/2016/09/07/4 http://www.openwall.com/lists/oss-security/2016/09/18/8 SuSE Security Announcement: SUSE-SU-2016:1783 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00010.html SuSE Security Announcement: openSUSE-SU-2016:1724 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00000.html SuSE Security Announcement: openSUSE-SU-2016:2073 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00037.html Common Vulnerability Exposure (CVE) ID: CVE-2016-2318 Common Vulnerability Exposure (CVE) ID: CVE-2016-3714 1035742 http://www.securitytracker.com/id/1035742 20160513 May 2016 - HipChat Server - Critical Security Advisory http://www.securityfocus.com/archive/1/538378/100/0/threaded 39767 https://www.exploit-db.com/exploits/39767/ 39791 https://www.exploit-db.com/exploits/39791/ 89848 http://www.securityfocus.com/bid/89848 DSA-3580 http://www.debian.org/security/2016/dsa-3580 DSA-3746 GLSA-201611-21 https://security.gentoo.org/glsa/201611-21 RHSA-2016:0726 http://rhn.redhat.com/errata/RHSA-2016-0726.html SSA:2016-132-01 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568 SUSE-SU-2016:1260 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00024.html SUSE-SU-2016:1275 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00032.html SUSE-SU-2016:1301 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00041.html USN-2990-1 http://www.ubuntu.com/usn/USN-2990-1 VU#250519 https://www.kb.cert.org/vuls/id/250519 [oss-security] 20160503 ImageMagick Is On Fire -- CVE-2016-3714 http://www.openwall.com/lists/oss-security/2016/05/03/13 [oss-security] 20160504 Re: ImageMagick Is On Fire -- CVE-2016-3714 http://www.openwall.com/lists/oss-security/2016/05/03/18 http://git.imagemagick.org/repos/ImageMagick/blob/a01518e08c840577cabd7d3ff291a9ba735f7276/ChangeLog http://packetstormsecurity.com/files/152364/ImageTragick-ImageMagick-Proof-Of-Concepts.html http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.rapid7.com/db/modules/exploit/unix/fileformat/imagemagick_delegate https://access.redhat.com/security/vulnerabilities/2296071 https://bugzilla.redhat.com/show_bug.cgi?id=1332492 https://imagetragick.com/ https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588 https://www.imagemagick.org/script/changelog.php openSUSE-SU-2016:1261 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00025.html openSUSE-SU-2016:1266 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00028.html openSUSE-SU-2016:1326 http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00051.html Common Vulnerability Exposure (CVE) ID: CVE-2016-3715 89852 http://www.securityfocus.com/bid/89852 Common Vulnerability Exposure (CVE) ID: CVE-2016-3716 [debian-lts-announce] 20180627 [SECURITY] [DLA 1401-1] graphicsmagick security update https://lists.debian.org/debian-lts-announce/2018/06/msg00009.html Common Vulnerability Exposure (CVE) ID: CVE-2016-3717 Common Vulnerability Exposure (CVE) ID: CVE-2016-3718 Common Vulnerability Exposure (CVE) ID: CVE-2016-5239 BugTraq ID: 91018 http://www.securityfocus.com/bid/91018 http://git.imagemagick.org/repos/ImageMagick/commit/70a2cf326ed32bedee144b961005c63846541a16 https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html http://www.openwall.com/lists/oss-security/2016/06/02/13 RedHat Security Advisories: RHSA-2016:1237 https://access.redhat.com/errata/RHSA-2016:1237
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.