Hi, As said on debian-provate go ahead please. I am late due to payjob issue.
Bastien On Sat, Dec 12, 2020 at 3:06 PM Salvatore Bonaccorso <car...@debian.org> wrote: > > Source: imagemagick > Version: 8:6.9.11.24+dfsg-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for imagemagick. > > A very extensive blogpost[1] explains the issue, and note that the > provided POC though does only work so far in ImageMagick7 the issue is > present as well in legacy ImageMagick 6, affected versions should be > around 6.9.8-1 onwards. > > The required fixes for ImageMagick6 are referenced in the > security-tracker. > > As a side node: For buster the issue is mitigated as the recent DSA > included the 200-disable-ghostscript-formats.patch patch and disables > ghostscript handled formats. As a hardening measure against those > issue it might be ideal to ship the disabling as well in bullseye. > > CVE-2020-29599[0]: > | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the > | -authenticate option, which allows setting a password for password- > | protected PDF files. The user-controlled password was not properly > | escaped/sanitized and it was therefore possible to inject additional > | shell commands via coders/pdf.c. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-29599 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29599 > [1] > https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html > > Regards, > Salvatore > > -- System Information: > Debian Release: bullseye/sid > APT prefers unstable > APT policy: (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled >