Your message dated Mon, 11 Jan 2021 23:34:09 +0000 with message-id <e1kz6hn-0002nm...@fasolo.debian.org> and subject line Bug#977205: fixed in imagemagick 8:6.9.11.57+dfsg-1 has caused the Debian Bug report #977205, regarding imagemagick: CVE-2020-29599 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 977205: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977205 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: imagemagick Version: 8:6.9.11.24+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for imagemagick. A very extensive blogpost[1] explains the issue, and note that the provided POC though does only work so far in ImageMagick7 the issue is present as well in legacy ImageMagick 6, affected versions should be around 6.9.8-1 onwards. The required fixes for ImageMagick6 are referenced in the security-tracker. As a side node: For buster the issue is mitigated as the recent DSA included the 200-disable-ghostscript-formats.patch patch and disables ghostscript handled formats. As a hardening measure against those issue it might be ideal to ship the disabling as well in bullseye. CVE-2020-29599[0]: | ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the | -authenticate option, which allows setting a password for password- | protected PDF files. The user-controlled password was not properly | escaped/sanitized and it was therefore possible to inject additional | shell commands via coders/pdf.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-29599 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29599 [1] https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: imagemagick Source-Version: 8:6.9.11.57+dfsg-1 Done: Bastien Roucariès <ro...@debian.org> We believe that the bug you reported is fixed in the latest version of imagemagick, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 977...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastien Roucariès <ro...@debian.org> (supplier of updated imagemagick package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Jan 2021 22:14:26 +0000 Source: imagemagick Architecture: source Version: 8:6.9.11.57+dfsg-1 Distribution: unstable Urgency: medium Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-t...@lists.alioth.debian.org> Changed-By: Bastien Roucariès <ro...@debian.org> Closes: 971216 972797 977205 Changes: imagemagick (8:6.9.11.57+dfsg-1) unstable; urgency=medium . * New upstream version: - Bug fix: "CVE-2020-29599", imagemagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. Thanks to Salvatore Bonaccorso (Closes: #977205). - Bug fix: "CVE-2020-27560: Division by Zero in function OptimizeLayerFrames", thanks to Salvatore Bonaccorso (Closes: #972797). * Fix dh_doxygen FTBFS (Closes: #971216) Checksums-Sha1: 98043226f8d2a24a7f1057380adb9c6867cf54ed 5079 imagemagick_6.9.11.57+dfsg-1.dsc 8420160075e75cde28a09a0b9b7cff725cee9db9 9392580 imagemagick_6.9.11.57+dfsg.orig.tar.xz abbd21d51c0d56aceb902c602c0fc0cf477603e6 245888 imagemagick_6.9.11.57+dfsg-1.debian.tar.xz 944dad89fa48f440ea2391cfd5f9afc1b2b613c3 11973 imagemagick_6.9.11.57+dfsg-1_source.buildinfo Checksums-Sha256: df60159c4f67c2a30fa5b979b82d7202bd9d45225c98348078886c420ccd1d61 5079 imagemagick_6.9.11.57+dfsg-1.dsc 383ed545dc93d34ebefa54623cb7c43e8b32d3076c14d9d93561307c97ed27a7 9392580 imagemagick_6.9.11.57+dfsg.orig.tar.xz 3cf0c4d05a08b3b68f2fa2548f9fd0f20aaa946c8c93a9c4159d8b78173a3a1b 245888 imagemagick_6.9.11.57+dfsg-1.debian.tar.xz 72400364af7ef08008c7182caad793d4cf98aa82427c647f776c7684a80a6da0 11973 imagemagick_6.9.11.57+dfsg-1_source.buildinfo Files: dec3c27f46285b416d8b93bf62c08fed 5079 graphics optional imagemagick_6.9.11.57+dfsg-1.dsc 51d0045050a717cd2d43a6773439aae6 9392580 graphics optional imagemagick_6.9.11.57+dfsg.orig.tar.xz 8666e98765c9a4ad83f7b7e6ba46ed8a 245888 graphics optional imagemagick_6.9.11.57+dfsg-1.debian.tar.xz 7baf9b5debd6ebbae9aba1eaca2dae39 11973 graphics optional imagemagick_6.9.11.57+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAl/828YACgkQADoaLapB CF96DRAAl2sVL4PgaetRQs4wTR1TSPEUbwutWYDDPqoN7vfhfNuKiel2BODQQI+r +C1EMAV3zosU5m+oa12z/K30KVZIikfhsMX7LZ22QfSUg/GZV/qeLEz80fiSnT+t xx9y2MWQRtSqsjR2szR7dXCugwkHo1oISaBGKloWyVRCshcLj9pPq+XxsL8AL8o4 z0wl7WB4Xe9VMdvpYS33o+KMUtAAsm2MLNwvf+oNZguOLQvADM1T6t8OrMfOH7Sc SQNh4SSsjOe75CovXQb5UEbNSbBCQXs4IISdEyeDAZhSoqW9hiOQH3s/CHmiS7Lj APJcobQNKalpeSYs7yVC9spIOjZXyKzcDH2O+9O4NCxrM/dfhcMFQI1DMbqZn2WD TS6dWqDqlyDPnofM90UzrS5y1+3HAjsehpnzReXNwYlktfiCVx/EDHDD4dPzevdB KgQ9CY9IBlW8UZjGtaWl3ZF+NvmEncxfZRb2O58i7YqJ3lftq+fpSrqdc1c02Qxp lyQkPl0dExgYzcxQsXYe5ebfBUD/+De98lJCi4LQ920/dj7/zF71CsZ4eO59VcnL ElRXfAwvpn1m9MQlk/EEAi2S/a8sXHu1N9NyHwpRO0HAMOK4J+t4FBkX91XkJubA 9TEFoHkcpMyPjpa0L988ZZO8b22gyb9l4okR938j08e0W9xOw1E= =Tr01 -----END PGP SIGNATURE-----
--- End Message ---
