Summary: | <media-gfx/imagemagick-{6.9.12.76, 7.1.0.61}: information disclosure / local file inclusion | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | codec |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 895246, 900897, 900899 | ||
Bug Blocks: |
Description
Hanno Böck
2023-02-07 18:41:43 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ef065fe55443031e1f5e67adfe6f9a1ce15245e commit 3ef065fe55443031e1f5e67adfe6f9a1ce15245e Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-02-08 14:56:08 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-02-08 14:58:58 +0000 media-gfx/imagemagick: add 6.9.12.76, 7.1.0.61 Bug: https://bugs.gentoo.org/893526 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> media-gfx/imagemagick/Manifest | 2 + media-gfx/imagemagick/imagemagick-6.9.12.76.ebuild | 269 ++++++++++++++++++++ media-gfx/imagemagick/imagemagick-7.1.0.61.ebuild | 278 +++++++++++++++++++++ 3 files changed, 549 insertions(+) Can we stabilize a newer version? Sorry, yes, the delay was in me getting to bug 895246 (In reply to Hanno Böck from comment #0) > This sounds severe: > https://www.metabaseq.com/imagemagick-zero-days/ > https://github.com/Sybil-Scan/imagemagick-lfi-poc > > It doesn't say which version fixes it, but I believe based on upstream's > changelog at > https://github.com/ImageMagick/Website/blob/main/ChangeLog.md > > it's probably this: > "disable setting profile:<filename> property as it is a security risk > 8235d35" > with patch here: > https://github.com/ImageMagick/ImageMagick/commit/ > 8235d35d41f8d3cbd0c20612c406129593dbbf73 > > This is fixed in upstream's 7.1.0-61. ... and https://github.com/ImageMagick/ImageMagick6/commit/222845f6a0848c1e1c567bb1618617e786523bb2 for IM6. CVE-2022-44267 (https://www.metabaseq.com/imagemagick-zero-days/): ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4a7120d937eaaec2a14046c3d00320bd902c32bf commit 4a7120d937eaaec2a14046c3d00320bd902c32bf Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-04 06:13:29 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-04 06:14:05 +0000 [ GLSA 202405-02 ] ImageMagick: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/835931 Bug: https://bugs.gentoo.org/843833 Bug: https://bugs.gentoo.org/852947 Bug: https://bugs.gentoo.org/871954 Bug: https://bugs.gentoo.org/893526 Bug: https://bugs.gentoo.org/904357 Bug: https://bugs.gentoo.org/908082 Bug: https://bugs.gentoo.org/917594 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-02.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) |