Bug 62229

Summary:	ImageMagick 6.0.5.2 not available -- need to bump version
Product:	Gentoo Linux	Reporter:	David Ripton <dripton>
Component:	New packages	Assignee:	Gentoo Graphics Project <graphics+disabled>
Status:	RESOLVED FIXED
Severity:	normal	CC:	vorlon
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	62309

Description David Ripton 2004-08-30 06:22:42 UTC

media-gfx/imagemagick-6.0.5.2 is the current masked (~x86) version in portage.

emerge tries to download ImageMagick-6.0.5-2.tar.bz2 from various Gentoo and SourceForge mirrors, but the file isn't on any of them.  It's not on ftp.imagemagick.org either.

It appears that the ImageMagick project has yanked this version from their site.  Looks like all recent versions were bumped on August 23.  The changelog shows that a BMP buffer overrun was fixed on that date.  Reading between the lines, it appears that 6.0.5-2 is strongly deprecated due to a security flaw.

Recommend bumping the ~x86 version of this ebuild to 6.0.5-4 (the fixed and currently available 6.0.5 version) or 6.0.6-2 (the version the ImageMagick project considers stable).

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2004-08-30 13:05:29 UTC

The 6.0.5-2 version is indeed not available on SF or ftp.imagemagick.com, but it seems to have hit the distfile mirrors now.
The -4 Changelog doesn't mention the buffer overflow though, but the CVS Changelog does.

Comment 2 Karol Wojtaszek (RETIRED) gentoo-dev

2004-09-06 06:25:07 UTC

I've just added Imagemagick-6.0.7.1 to portage.