[blfs-book] [BLFS Trac] #14513: ImageMagick security update

Wed, 13 Jan 2021 20:03:05 -0800 

#14513: ImageMagick security update
-------------------------+-----------------------
 Reporter:  ken@…        |      Owner:  blfs-book
     Type:  enhancement  |     Status:  new
 Priority:  high         |  Milestone:  10.1
Component:  BOOK         |    Version:  SVN
 Severity:  normal       |   Keywords:
-------------------------+-----------------------
 Reading lwn.net, I noticed that mageia had updated their 'stable' version
 of IM to 7.0.10-55 as a result of things noticed at ubuntu (mageia were
 previously on 7.0.8). Most of those things were already fixed in our
 current version (7.0.10-27), but the following are newer:

 CVE-2020-27560 division by zero may cause DoS, fixed in -35.
 For most people, that is minor - unless you use IM to convert or mogrify
 uploaded images on your server.

 ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the
 -authenticate option, which allows setting a password for password-
 protected PDF files. The user-controlled password was not properly
 escaped/sanitized and it was therefore possible to inject additional shell
 commands via coders/pdf.c.

 That one has a rating of 'high' (for multi-user systems)

 All versions of 7.0.10 seem to be available (unlike in the past when some
 versions were removed), changelog is at
 [https://imagemagick.org/script/changelog.php
 ] and on the face of it the latest release has extra fixes.

 I was going to hold fire on this until I'd tested it and was ready to
 update, but I've just had to raise two issues about tests/validate, so the
 fact I'm looking at this is now public knowledge.

 At the moment I have not started my "acceptance" testing for -57. I can
 say that it builds, and passes make check, with the current instructions
 (and the build is a bit smaller), but I do not yet know if I will find
 this version to be good enough - at this point, reverting to an older
 version (-40 or newer) may be better, or it might be, as I hope, that the
 validation suite has not caught up with other internal changes and
 everything does actually work ok.

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/14513>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to