ImageMagick does not properly validate user input before processing it using a delegate, which may lead to arbitrary code execution. This issue is also known as "ImageTragick".
CWE-20: Improper Input Validation - CVE-2016-3714
According to the researchers in a mailing list post:
An unauthenticated remote attacker that can upload crafted image files may be able to execute arbitrary code in the context of the user calling ImageMagick.
Apply an Update
Verify Files and Disable Vulnerable Filters
Arch Linux Affected
Debian GNU/Linux Affected
Fedora Project Affected
Gentoo Linux Affected
Red Hat, Inc. Affected
SUSE Linux Affected
Slackware Linux Inc. Affected
openSUSE project Affected
The ImageTragick website credits Stewie and Nikolay Ermishkin of the Mail.Ru Security Team for discovering these vulnerabilities.
This document was written by Garret Wassermann.
|Date First Published:||2016-05-04|
|Date Last Updated:||2016-05-04 21:14 UTC|