Summary: | <media-gfx/graphicsmagick-1.3.24, <media-gfx/imagemagick-6.9.4.6: popen() shell vulnerability via filename (CVE-2016-5118) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ap, dennis, himbeere, holger |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/05/29/7 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-05-30 08:16:00 UTC
This affects imagemagick as well. 6.9.4-5 and 7.0.1-7 have been released upstream and contain fixes related to this. Given the severity of these imagemagick issues I think we're handling them too slowly. Please bump asap and start stabilization. commit 68407a602cc64231cd887123da2d33dbe5756230 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Thu Jun 2 08:15:11 2016 media-gfx/graphicsmagick: Bump to version 1.3.24 Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> commit 33e9a7af50f7b2a5cbb20229deb94d4cb920fe67 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Thu Jun 2 08:04:09 2016 media-gfx/imagemagick: Bump to versions 6.9.4.6 and 7.0.1.8 Removed old. Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> @security, please do the stable request for both packages. In case of imagemagick we cannot stabilize version 7 as it still breaks too many packages. Arches please test and mark stable the following two packages. =media-gfx/imagemagick-6.9.4.6 with target KEYWORDS: alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris =media-gfx/graphicsmagick-1.3.24 with target KEYWORDS: alpha amd64 hppa ppc ppc64 sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos amd64 stable x86 stable Stable for PPC64. Not holding this up because Security, but it newly fails the test suite (6.9.4.1 passes, IIRC). I'll file a separate bug about that. Both stable on alpha. Stable for HPPA. arm stable ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. (In reply to Agostino Sarubbo from comment #12) > ia64 stable. > > Maintainer(s), please cleanup. done. CVE-2016-5118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5118): The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbitrary code via a | (pipe) character at the start of a filename. GLSA Vote: No commit 1a4c6b2bea42b8631c56c861c37f88930da4f007 (HEAD -> master) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Mon Jul 11 12:07:34 2016 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Mon Jul 11 12:20:50 2016 +0000 dev-python/pythonmagick: Remove v0.9.11 relying on unsecure and outdated releases of ImageMagick. Gentoo-Bug: https://bugs.gentoo.org/584512 Package-Manager: portage-2.2.28 dev-python/pythonmagick/Manifest | 1 - dev-python/pythonmagick/pythonmagick-0.9.11.ebuild | 61 ---------------------- 2 files changed, 62 deletions(-) delete mode 100644 dev-python/pythonmagick/pythonmagick-0.9.11.ebuild |