Linux News Today: Canonical Patches ImageTragick Exploit in All Supported Ubuntu OSes, Update Now
Today, June 2, 2016, Canonical published an Ubuntu Security Notice to inform the community about an important security update to the ImageMagick packages for all supported Ubuntu OSes.
According to Ubuntu Security Notice USN-2990-1, there are two ImageMagick vulnerabilities affecting the Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 15.10 (Wily Werewolf), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin) operating systems, as well as all of their derivatives.
ImageMagick is an open-source image manipulation library that contains a set of commands which users can use to resize, crop, edit, compose, or convert various types of images. However, ImageMagick can also be easily integrated into various imaged editor programs.
Today’s update is very important as it patched the infamous “ImageTragick” exploit discovered a month ago by Nikolay Ermishkin and Stewie in the upstream ImageMagick packages, which failed to correctly sanitize untrusted input, thus allowing remote attackers to execute arbitrary code on the affected system.
“This update disables problematic coders via the /etc/ImageMagick-6/policy.xml configuration file. In certain environments the coders may need to be manually re-enabled after making sure that ImageMagick does not process untrusted input,” reads Canonical’s latest security notice for ImageMagick.
The second ImageMagick vulnerability patched in today’s update for Ubuntu Linux operating systems is a security issue discovered by Bob Friesenhahn in ImageMagick, which could allow remote attackers to run malicious code on the affected system by injecting commands via either an image file or filename.
All Ubuntu users need to update their systems as soon as possible
Therefore, if you are using one of the supported Ubuntu releases, Canonical recommends that you install the latest updates from the main software repositories using either the command-line APT package manager or the Ubuntu Software GUI, as soon as possible. The patched ImageMagick versions are now live.
The new ImageMagick versions are libmagick++-6.q16-5v5 8:188.8.131.52-7ubuntu5.1 for Ubuntu 16.04 LTS, libmagick++-6.q16-5v5 8:184.108.40.206-5ubuntu2.1 for Ubuntu 15.10, libmagick++5 8:220.127.116.11-6ubuntu3.1 for Ubuntu 14.04 LTS, and imagemagick-common 8:18.104.22.168-5ubuntu3.4 for Ubuntu 12.04 LTS.