Your message dated Wed, 04 Jan 2023 10:17:23 +0000
with message-id <[email protected]>
and subject line Bug#1007225: fixed in ruby-image-processing 1.10.3-1+deb11u1
has caused the Debian Bug report #1007225,
regarding ruby-image-processing: CVE-2022-24720
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1007225: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007225
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ruby-image-processing
Version: 1.10.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ruby-image-processing.
CVE-2022-24720[0]:
| image_processing is an image processing wrapper for libvips and
| ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the
| `#apply` method from image_processing to apply a series of operations
| that are coming from unsanitized user input allows the attacker to
| execute shell commands. This method is called internally by Active
| Storage variants, so Active Storage is vulnerable as well. The
| vulnerability has been fixed in version 1.12.2 of image_processing. As
| a workaround, users who process based on user input should always
| sanitize the user input by allowing only a constrained set of
| operations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24720
[1]
https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
[2]
https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-image-processing
Source-Version: 1.10.3-1+deb11u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ruby-image-processing, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated
ruby-image-processing package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 30 Dec 2022 23:16:44 +0100
Source: ruby-image-processing
Architecture: source
Version: 1.10.3-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1007225
Changes:
ruby-image-processing (1.10.3-1+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Prevent remote shell execution in `#apply` (CVE-2022-24720)
(Closes: #1007225)
Checksums-Sha1:
cb6bbf3b13b63bff96c26bff6c08f9b83f727df8 2537
ruby-image-processing_1.10.3-1+deb11u1.dsc
d3d85f42b5324c0e21707f72542b79b79d72b789 985090
ruby-image-processing_1.10.3.orig.tar.gz
a7b5003890831de463472aeefe5cb962ed80bdaa 4220
ruby-image-processing_1.10.3-1+deb11u1.debian.tar.xz
f82ecd476eefd1df520be400200c1e246aa69aa4 7322
ruby-image-processing_1.10.3-1+deb11u1_source.buildinfo
Checksums-Sha256:
31e75d779fe2610cecdc7306c96c03275da3b2789b40625c69ed7ebccad0f46d 2537
ruby-image-processing_1.10.3-1+deb11u1.dsc
af5e15751997008ed160d13c2d1375103a21539a9daf4be51a87886f3f4a8600 985090
ruby-image-processing_1.10.3.orig.tar.gz
5bdb66bd39b4b2bef66d2bf72dcca93197d7b254731a44ea2be33b020fb4b7f1 4220
ruby-image-processing_1.10.3-1+deb11u1.debian.tar.xz
13ce0535ac7cc6c6a46370996853cadec314a8e2e76058f3979f1274773bd3c8 7322
ruby-image-processing_1.10.3-1+deb11u1_source.buildinfo
Files:
69319319eebebbb06920db32eea6f377 2537 ruby optional
ruby-image-processing_1.10.3-1+deb11u1.dsc
cbfe999374f200efea9504bb54fa2190 985090 ruby optional
ruby-image-processing_1.10.3.orig.tar.gz
ab580f709f88fcc58320bbe79b6b84aa 4220 ruby optional
ruby-image-processing_1.10.3-1+deb11u1.debian.tar.xz
b51ac61b37d6792ae6bbc8390848a771 7322 ruby optional
ruby-image-processing_1.10.3-1+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmOvZR1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EfpIP/1ZxrmKP6hCo9THlaCVYldKP+O0nFo/X
eYxIA6CT0R8Yr1Doobvl7shQmrBkIwYN+E7M3WTsxtzAF/zbr2+vVV0YyRP4QWhH
alUM+yjh2Zq7+X9S3GUFSh+XpreYlgyYgKF7iSLNsci3osonjzdy8eagam6rSqKR
V34nk19ZhRp0i1rl2MCAsB+rHb0POagb77TaYZua0n8G2aIBdLpDPiiXLwk413MZ
TY1YcH/M4OdzW9Yret9FUxM+jWG4ZLB0HzEJxTaYTPx7cWEFV2AjNkOpLl76fd4B
QQXdPYiVwhHbHGqBHOCnasYmz3FGYBpEUeYWTMQBW07pC2hZ0GH6Q3bjcW+twtTe
yFZRYs56k2MDTX+DzS82nMOO5/B7P+i2H5uGZX4Qt817yxCceXwjNJQXCdHKw/9r
NPvNBKt9F37Jm2+FgzbQbVuSIjMfIqaE+h8ZTrh2FC+Uc66qWKxdPoV6l/CbB2Wc
UFSteu86zj/uW3IVSJCaQZ9ICEot3R+XrD1OMC2UqAtez/K9PGBs2SB8/p0xcsQO
6PqOnJRzrjAgTm3iedit/W4ZoFSuXQ1s5i0naZ2vPpFgyD0d75Li21e2quuh0Jae
pcrAxJByPOla2o3/SfVDdlfrmLcz7Gr0eklVZJR6ybqVB+RLjpdRaYRge88DO0jd
CO3ZT8F2Mjoc
=Znb9
-----END PGP SIGNATURE-----
--- End Message ---
