This sounds severe: https://www.metabaseq.com/imagemagick-zero-days/ https://github.com/Sybil-Scan/imagemagick-lfi-poc It doesn't say which version fixes it, but I believe based on upstream's changelog at https://github.com/ImageMagick/Website/blob/main/ChangeLog.md it's probably this: "disable setting profile:<filename> property as it is a security risk 8235d35" with patch here: https://github.com/ImageMagick/ImageMagick/commit/8235d35d41f8d3cbd0c20612c406129593dbbf73 This is fixed in upstream's 7.1.0-61.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ef065fe55443031e1f5e67adfe6f9a1ce15245e commit 3ef065fe55443031e1f5e67adfe6f9a1ce15245e Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-02-08 14:56:08 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-02-08 14:58:58 +0000 media-gfx/imagemagick: add 6.9.12.76, 7.1.0.61 Bug: https://bugs.gentoo.org/893526 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> media-gfx/imagemagick/Manifest | 2 + media-gfx/imagemagick/imagemagick-6.9.12.76.ebuild | 269 ++++++++++++++++++++ media-gfx/imagemagick/imagemagick-7.1.0.61.ebuild | 278 +++++++++++++++++++++ 3 files changed, 549 insertions(+)
Can we stabilize a newer version?
Sorry, yes, the delay was in me getting to bug 895246
(In reply to Hanno Böck from comment #0) > This sounds severe: > https://www.metabaseq.com/imagemagick-zero-days/ > https://github.com/Sybil-Scan/imagemagick-lfi-poc > > It doesn't say which version fixes it, but I believe based on upstream's > changelog at > https://github.com/ImageMagick/Website/blob/main/ChangeLog.md > > it's probably this: > "disable setting profile:<filename> property as it is a security risk > 8235d35" > with patch here: > https://github.com/ImageMagick/ImageMagick/commit/ > 8235d35d41f8d3cbd0c20612c406129593dbbf73 > > This is fixed in upstream's 7.1.0-61. ... and https://github.com/ImageMagick/ImageMagick6/commit/222845f6a0848c1e1c567bb1618617e786523bb2 for IM6.
CVE-2022-44267 (https://www.metabaseq.com/imagemagick-zero-days/): ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.