CVE-2023-2157 (https://bugzilla.redhat.com/show_bug.cgi?id=2208537): A heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing. Patch in 7.1.1-7: https://github.com/ImageMagick/ImageMagick/commit/9a9896fce95d09e5e47b86baccbe1ce1a2fca76b Is there a fix in 6.x? CVE-2023-34151 (https://github.com/ImageMagick/ImageMagick/issues/6341): A vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546). Fix in 6.9.12-88: https://github.com/ImageMagick/ImageMagick6/commit/133089f716f23ce0b80d89ccc1fd680960235512 Fix in 7.1.1-10: https://github.com/ImageMagick/ImageMagick/commit/3d6d98d8a2be30d74172ab43b5b8e874d2deb158 CVE-2023-34152 (https://github.com/ImageMagick/ImageMagick/issues/6339): A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with --enable-pipes configured. Apparently upstream thinks this is invalid, so keeping it off the CVE list. CVE-2023-34153 (https://github.com/ImageMagick/ImageMagick/issues/6338): A vulnerability was found in ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding. Fix in 7.1.1-10: https://github.com/ImageMagick/ImageMagick/commit/d31c80d15a2c82fc1dd8e889e0f97b0219079a57 Is there a fix in 6.x?
Are there fixes for CVE-2023-2157 and CVE-2023-34153 in 6.x?
(In reply to John Helmert III from comment #1) > Are there fixes for CVE-2023-2157 and CVE-2023-34153 in 6.x? CVE-2023-2157: - https://github.com/ImageMagick/ImageMagick6/commit/7e4c992f148afc5b28111e540921d5b6e4e38673 (note that jxc isn't supported in IM6) CVE-2023-34153: not sure, need to inspect the IM7 changes (https://github.com/ImageMagick/ImageMagick/commit/d31c80d15a2c82fc1dd8e889e0f97b0219079a57) and compare the relevant files
Thanks!
commit 2093f1a80afe379b2f1e5eeee9c125dc26a21b59 Author: Sam James <sam@gentoo.org> Date: Thu Dec 28 04:34:07 2023 +0000 media-gfx/imagemagick: drop versions Signed-off-by: Sam James <sam@gentoo.org>
Cleanup done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4a7120d937eaaec2a14046c3d00320bd902c32bf commit 4a7120d937eaaec2a14046c3d00320bd902c32bf Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-04 06:13:29 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-04 06:14:05 +0000 [ GLSA 202405-02 ] ImageMagick: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/835931 Bug: https://bugs.gentoo.org/843833 Bug: https://bugs.gentoo.org/852947 Bug: https://bugs.gentoo.org/871954 Bug: https://bugs.gentoo.org/893526 Bug: https://bugs.gentoo.org/904357 Bug: https://bugs.gentoo.org/908082 Bug: https://bugs.gentoo.org/917594 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-02.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+)
