Package: imagemagick Version: 8:6.9.10.23+dfsg-2.1+deb10u2 Severity: normal
Dear Maintainer, After updating to 8:6.9.10.23+dfsg-2.1+deb10u2, libgd-securityimage-perl does not work anymore because of the CVE-2022-44267 and CVE-2022-44268 mitigation: <policy domain="path" rights="none" pattern="/etc/*" /> Removing this line from /etc/ImageMagick-6/policy.xml restores correct hebavior. Here is a test script that tries to generate a Captcha use GD::SecurityImage use_magick => 1; my $image = GD::SecurityImage->new( width => 200, height => 100, lines => 4, gd_font => 'Giant', scramble => 1, rndmax => 10, ); $image->random; $image->create( 'normal', 'default', "#403030", "#FF644B"); print $image->out( force => 'png' ); The update breaks usage of fonts, and causes warnings to be printed, and the image to be missing any text (which is bad for a Captcha) , likely due to the fact that font configuration files for ImageMagick are in /etc -- Package-specific info: ImageMagick program version --------------------------- -- System Information: Debian Release: 10.13 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.0.0-0.deb11.6-amd64 (SMP w/6 CPU cores; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -- Configuration Files: /etc/ImageMagick-6/policy.xml changed [not included] -- no debconf information