[Git][security-tracker-team/security-tracker][master] Add CVE-2020-29599/imagemagick

Wed, 09 Dec 2020 13:58:44 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
53effe37 by Salvatore Bonaccorso at 2020-12-09T22:57:35+01:00
Add CVE-2020-29599/imagemagick

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -661,7 +661,15 @@ CVE-2020-29600 (In AWStats through 7.7, 
cgi-bin/awstats.pl?config= accepts an ab
        NOTE: 
https://github.com/eldy/awstats/commit/d4d815d0caae3dbae83ac70a1ae4581bd57cf376
        NOTE: https://github.com/eldy/awstats/issues/195 (another unfixed 
vector)
 CVE-2020-29599 (ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 
mishandles the - ...)
-       TODO: check
+       - imagemagick <unfixed>
+       NOTE: https://github.com/ImageMagick/ImageMagick/discussions/2851
+       NOTE: 
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
+       NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/a9e63436aa04c805fe3f9e2ed242dfa4621df823
+       NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/68154c05cf40a80b6f2e2dd9fdc4428570f875f0
+       NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/89a1c73ee2693ded91a72d00bdf3aba410f349f1
+       NOTE: Issue mitigated by disabling ghostscript handled formats based on 
-SAFER insecurity,
+       NOTE: cf 200-disable-ghostscript-formats.patch in 
8:6.9.10.23+dfsg-2.1+deb10u1, but opens
+       NOTE: #964090.
 CVE-2020-29598
        RESERVED
 CVE-2020-29597 (IncomCMS 2.0 has a modules/uploader/showcase/script.php 
insecure file  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53effe37bf51054c365b3a193c76812cf78385d5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53effe37bf51054c365b3a193c76812cf78385d5
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to