From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 15:52:29 2021 Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 19:52:30 +0000 Received: from localhost ([127.0.0.1]:42536 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPsVR-00012S-KP for submit@debbugs.gnu.org; Fri, 26 Mar 2021 15:52:29 -0400 Received: from lists.gnu.org ([209.51.188.17]:35594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPsVM-00012G-Sj for submit@debbugs.gnu.org; Fri, 26 Mar 2021 15:52:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56524) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPsVL-0008Au-OS for bug-guix@gnu.org; Fri, 26 Mar 2021 15:52:24 -0400 Received: from mail.zaclys.net ([178.33.93.72]:37465) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPsVH-0001R1-8v for bug-guix@gnu.org; Fri, 26 Mar 2021 15:52:22 -0400 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QJqFdu006569 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 26 Mar 2021 20:52:16 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QJqFdu006569 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616788336; bh=S4qqAbiUlwITbdjPu2GDHb1lCd5RZ/AZRJhqjyXvFZI=; h=Subject:From:To:Date:From; b=f+sIzjuRKVse2qriECzSLoe3Ujx6BLENEhiqXDTV1o3rGJpmxuzMNv/X3xAUcvtPJ DLsnhv7zwSyrapq+o1BVvAEZ0JADH82Mvpz5lSJ39sQHmR7BMPKq67cotki0vP/yy1 uHwDOekR73yC9xM+klPKDJpX3JPjEnpxpA8Eo1XM= Message-ID: Subject: imagemagick is vulnerable to CVE-2020-27829 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Fri, 26 Mar 2021 20:52:15 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-XRzuak1jMYCuHE2ANc1F" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-XRzuak1jMYCuHE2ANc1F Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2020-27829 18:15 A heap based buffer overflow in coders/tiff.c may result in program crash and denial of service in ImageMagick before 7.0.10-45. Upstream patch available at=20 https://github.com/ImageMagick/ImageMagick/commit/6ee5059cd3ac8d82714a1ab13= 21399b88539abf0 Not yet backported to 6.x series but applies more or less cleanly (besides ChangeLog file). A patch will follow, please review! Thank you --=-XRzuak1jMYCuHE2ANc1F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeO28ACgkQRaix6GvN EKb10xAAqw1TG0xZ1Nb1mxN40Pc+xCx8oeSfy2mXltMhjIMMI4P7Mjt2mUFUYN37 rt5Eu+Xs0Kiz42fXEIzLiDdRxf+8Y8/jndL4CvrcRDh/g5ndgGCaJ7hDCvG1yozX faKOki5/wDrqYZBvyukv3CGuMAnkGSw/BMlJyiTo8KZdUM7/rppI2NLDoDJqWG+1 O8v2e3Uu58fXsuvnDfPV9irpSKfsqCKYEE+TJegMWygCsRh4U3H1E8YV5679O4EW vN3VT+RN6RqwU5JzO/N8Za0kz586GV6Un8OIwegj29K2Bufbsvmz6nThYI9xYpCv t/DXmZwmRpeSwik1AmZ1cK9PrDQinRPQaZgQddG3C+6sYFvTmww7fnK93/Xe0dUz oOf9RUCKzCvb9DR11Ver3I3wCyOyg0vPVgn22F5h0sUCxOu/69RcSbWrJ9/cuSv+ NtP0B1Hq/F8GWZ6HdlzaJmcNibpN4VDrkbi6/w8x5JH7SHy59QDs29BewUsyTZ// 5qB9j05T4eY+z4Qm3zVr3k41eTqYIa9PVNhdHBO/eQOr7SJzyOfqCYCWuqIvovQy cgUK4tGCK97ivjPW06pwQBCtsIv1IjtK1ubwP4BRaWAaXa/Fg6QZsqb20fWBhZdh x0wSIzkLy4ZyGRz6aiyGPEN/xfqj2MYSIgKG2wQlso4znJeeW08= =YrvZ -----END PGP SIGNATURE----- --=-XRzuak1jMYCuHE2ANc1F-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 15:54:07 2021 Received: (at 47418) by debbugs.gnu.org; 26 Mar 2021 19:54:07 +0000 Received: from localhost ([127.0.0.1]:42547 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPsX0-00015l-Q3 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 15:54:07 -0400 Received: from mail.zaclys.net ([178.33.93.72]:48219) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPsWz-000157-FD for 47418@debbugs.gnu.org; Fri, 26 Mar 2021 15:54:06 -0400 Received: from localhost.localdomain (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QJrxXw006639 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 26 Mar 2021 20:53:59 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QJrxXw006639 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616788439; bh=7I1IqOuV+ST7KEqatiOO2sftqY6rRrFNu4l+mDOaS8Y=; h=From:To:Cc:Subject:Date:From; b=VAn5qBO1O9YA0tX4xj9v7mLbxQGEgaouJYUC/DmuHL7kBO0CqTr7W4RFDCL6QgbuM FKTsNo9IWDzZFh2o10SkjxXa/XoeY0ooiXJn0nJX0TNu96aVeceNzBa4XGn3tzZHlj /PVa327pEjnxA7FkGSQM86zd5Az51DwzYab/wheA= From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= To: 47418@debbugs.gnu.org Subject: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. Date: Fri, 26 Mar 2021 20:53:42 +0100 Message-Id: <20210326195342.14152-1-lle-bout@zaclys.net> X-Mailer: git-send-email 2.31.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47418 Cc: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing graft. --- gnu/local.mk | 1 + gnu/packages/imagemagick.scm | 3 ++- .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch diff --git a/gnu/local.mk b/gnu/local.mk index 40956598db..fe70238345 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1220,6 +1220,7 @@ dist_patch_DATA = \ %D%/packages/patches/id3lib-UTF16-writing-bug.patch \ %D%/packages/patches/idris-disable-test.patch \ %D%/packages/patches/ilmbase-fix-tests.patch \ + %D%/packages/patches/imagemagick-CVE-2020-27829.patch \ %D%/packages/patches/inetutils-hurd.patch \ %D%/packages/patches/inkscape-poppler-0.76.patch \ %D%/packages/patches/intel-xed-fix-nondeterminism.patch \ diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm index a3562f2e13..1618a28596 100644 --- a/gnu/packages/imagemagick.scm +++ b/gnu/packages/imagemagick.scm @@ -143,7 +143,8 @@ text, lines, polygons, ellipses and Bézier curves.") "6.9.12-2.tar.xz")) (sha256 (base32 - "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa")))) + "17da5zihz58qm41y61sbvw626m5xfwr2nzszlikrvxyq1j1q7asa")) + (patches (search-patches "imagemagick-CVE-2020-27829.patch")))) (arguments (substitute-keyword-arguments (package-arguments imagemagick) ((#:phases phases) diff --git a/gnu/packages/patches/imagemagick-CVE-2020-27829.patch b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch new file mode 100644 index 0000000000..74debdc98e --- /dev/null +++ b/gnu/packages/patches/imagemagick-CVE-2020-27829.patch @@ -0,0 +1,23 @@ +From 6ee5059cd3ac8d82714a1ab1321399b88539abf0 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 30 Nov 2020 16:27:26 +0000 +Subject: [PATCH] possible TIFF related-heap buffer overflow (alert & POC by + Hardik Shah) + +--- + coders/tiff.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/coders/tiff.c b/coders/tiff.c +index e98f927abd..1eecf17aea 100644 +--- a/coders/tiff.c ++++ b/coders/tiff.c +@@ -1975,7 +1975,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + extent+=image->columns*sizeof(uint32); + #endif + strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, +- sizeof(*strip_pixels)); ++ 2*sizeof(*strip_pixels)); + if (strip_pixels == (unsigned char *) NULL) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); + (void) memset(strip_pixels,0,extent*sizeof(*strip_pixels)); -- 2.31.0 From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 16:55:44 2021 Received: (at control) by debbugs.gnu.org; 26 Mar 2021 20:55:44 +0000 Received: from localhost ([127.0.0.1]:42650 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtUe-0002fr-D1 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:55:44 -0400 Received: from mail.zaclys.net ([178.33.93.72]:34431) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtUd-0002ff-J6 for control@debbugs.gnu.org; Fri, 26 Mar 2021 16:55:44 -0400 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QKtbZn010336 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 26 Mar 2021 21:55:37 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QKtbZn010336 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616792137; bh=x7jf4mN0WHZ5DnDDaBOqr3nAuYPLY+/veaQBSztVpiQ=; h=Subject:From:To:Date:From; b=KMS2o8AofIaID6WtW/na6TkVlKotjkT0QXnR5soqENni4yXKy/SGRfe+v1dJFpo9n 4lVpjcVKyqUUf7jXsff512lcoPaf02Y72a//QBS4P0IyQoY98w80id8XpMVuyOwO2H ojcVIAId70gtvHrVUtWm00/dVxIuS1mjEBKTuj5U= Message-ID: <01f74998636bf9665438b9ebd021cb89bf7dbd29.camel@zaclys.net> Subject: From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: control@debbugs.gnu.org Date: Fri, 26 Mar 2021 21:55:37 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-XaB04ttEgTCw4dSYcAV5" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47418 + security quit Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty 0.6 BODY_EMPTY No body text in message X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.6 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: tags 47418 + security quit Content analysis details: (1.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 2.0 BLANK_SUBJECT Subject is present but empty 0.6 BODY_EMPTY No body text in message --=-XaB04ttEgTCw4dSYcAV5 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable tags 47418 + security quit --=-XaB04ttEgTCw4dSYcAV5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeSkkACgkQRaix6GvN EKZtrA/+LsmaoIBUBfkL7EPZ5N8Eee2MbyQaAMkBIDdpdmjMbrpIz7xAfhx/PLs3 dbIxuf1n0v2a2fV+dqT19GGmFg2dOE+jQ+dJkNM6xRduR4c55VcUGfmKMrxVCJfY F6EY168w70P/zzO6gtoouxJxway7Q1IwFL/79lAyGrVFziWKp28ChGNNkp3LQQ9G r9+72H9hEE3iWiPMgRXsmnoV01Fvus95EBRR5h5cXYxu0UT6NdvIk68bciwNVwiR 3V3aLyzyGQ/HABOFLhSf3q4bQYMVDMQ1k/VQfc3WKeFIP5j+3Xpu4l1IrnLR1l78 8ByTw/dd1pDU+1tjqqvxtUyGVzc9YB2C8E6mqgpHJanxsyf7Ye5CpvmvxhkZXPY3 MNmFt2VtmJwOHfz55TYei0a3nS84TQO/fP96PXIVdviEcKRUnlMLdpz3KskhsBo8 e5VNqTELR4H6qSr5EyXXxho+rGOlt+/dpBMunKxi1xshMCrSFlNar23Nuzk+EUDN owqWrtoABnLarNN9b+6xyBztJDJU1zIbUtsJbn+hzWnMK4MYavWJ2QEWqAEG1p/a wnlW1JRMJu30FsE27cqqhYM4wyRhgzmSaNFrPwjwPk0GkkU3JgOe5YJ6XA0z6zAq X2uAwADMQzL0rITioCh+mmU3Qw0xpm0x+LznebFuR79EBr9nkW0= =hVUt -----END PGP SIGNATURE----- --=-XaB04ttEgTCw4dSYcAV5-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 19:12:23 2021 Received: (at 47418) by debbugs.gnu.org; 26 Mar 2021 23:12:23 +0000 Received: from localhost ([127.0.0.1]:42836 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPvcs-0003v6-U5 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 19:12:23 -0400 Received: from xavier.telenet-ops.be ([195.130.132.52]:44584) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPvcq-0003uu-FF for 47418@debbugs.gnu.org; Fri, 26 Mar 2021 19:12:21 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by xavier.telenet-ops.be with bizsmtp id lBCG240050mfAB401BCHll; Sat, 27 Mar 2021 00:12:18 +0100 Message-ID: <095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be> Subject: Re: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. From: Maxime Devos To: =?ISO-8859-1?Q?L=E9o?= Le Bouter , 47418@debbugs.gnu.org Date: Sat, 27 Mar 2021 00:12:11 +0100 In-Reply-To: <20210326195342.14152-1-lle-bout@zaclys.net> References: <20210326195342.14152-1-lle-bout@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-KCC0WIkQXJY0g82hgkOR" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1616800338; bh=P6VHVHR6Ipa0u5ItqVb8KsTIlJ9r5tiFYC43SgicGOg=; h=Subject:From:To:Date:In-Reply-To:References; b=jn1HvfgdzfOTkfk9AvS1d5aGfaF769lmKHoGZp0VdQbMrw/nVYbNBXFPXwL9kiSgY tvTkkIkWZw0kGMV4gDZ/iWfAGwkRgmSefIPHpJF0C2bJvRivtbXl/ADzUoC/sP8Ple nsCKV1HsLXrbEaSBrSNS3XwZd6bZ8BYRhkOIkwfmRA29nSIGaQDK1Tz4t/zTwPrv2N ENPYeRDAtd8DwVMK0sG3e/sgcnJFAoa/qvXmwuuxEudPFR46KdT377vHjUwZibC5iY PQGtLGDZmsGeHgdK017mG48wCwgWpCOWyqfvxsDZbITfjzns7DdySYP5hjGUL5Syil PdXUvI/FugkCw== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47418 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-KCC0WIkQXJY0g82hgkOR Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable This patch seems about right to me. However, $ guix lint -c cve imagemagick gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably vulnera= ble to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE- 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-25674,= CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020- 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-27756, CVE-= 2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760, CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-2020-27= 766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020- 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-= 2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-13133, CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-2019-17= 540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019- 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, CVE-2018-= 16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE- 2018-16750, CVE-2018-20467, CVE-2018-6405 Did we forget some bugs & patches, or is "guix lint" incorrect here? Greetings, Maxime --=-KCC0WIkQXJY0g82hgkOR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF5qTBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7njXAQDE7+/CYLDv/Mht1W2jEGrRV4nW hL9s3DKB37bqfzApPQEArRh+HvmA9vjFe2+9X1e2f1ogUIrLvProBOD16d7pBQQ= =Jts5 -----END PGP SIGNATURE----- --=-KCC0WIkQXJY0g82hgkOR-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 19:16:31 2021 Received: (at 47418) by debbugs.gnu.org; 26 Mar 2021 23:16:31 +0000 Received: from localhost ([127.0.0.1]:42842 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPvgt-00042z-F6 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 19:16:31 -0400 Received: from mail.zaclys.net ([178.33.93.72]:54481) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPvgr-00042j-F7 for 47418@debbugs.gnu.org; Fri, 26 Mar 2021 19:16:30 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QNGMwq044633 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 27 Mar 2021 00:16:22 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QNGMwq044633 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616800583; bh=pfFuZJure46wv/q0vzjmf3Wn54yLbS9LyXLQANzcvNI=; h=Subject:From:To:Date:In-Reply-To:References:From; b=gsoW96qGb+LTv4ZdwR8gFKTP+A6XoW+Szow1Z3SbYyMWIDTiAI2HZbLZ5z8QK+zo5 EM0oHw1SxXfM0oBC8N4mzDALul1G0eLbU93uSkyjw7bC9IVYykmB544Rgxb6n84T0i KlkWaE7xJMc9ju7Q7DwHVwmONv0XYMGUC6Oua5YE= Message-ID: <4023b12d389fe22b89f593e4d36e716b6f9b001e.camel@zaclys.net> Subject: Re: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Maxime Devos , 47418@debbugs.gnu.org Date: Sat, 27 Mar 2021 00:16:18 +0100 In-Reply-To: <095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be> References: <20210326195342.14152-1-lle-bout@zaclys.net> <095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-oQlUdBq7wVULZDOl5Y0J" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47418 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-oQlUdBq7wVULZDOl5Y0J Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote: > This patch seems about right to me. However, >=20 > $ guix lint -c cve imagemagick > gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably > vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE- > 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020- > 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020- > 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020- > 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020- > 27760, > CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE- > 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020- > 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020- > 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019- > 13133, > CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE- > 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019- > 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, > CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE- > 2018-16750, CVE-2018-20467, CVE-2018-6405 >=20 > Did we forget some bugs & patches, or is "guix lint" incorrect here? >=20 > Greetings, > Maxime To me, ImageMagick is lagging behind since a long while and we need to upgrade to the latest version ASAP. Unfortunately we don't seem to be able to do that since it has lots of dependents and backporting each and every of these patches is just impossible, also there's way more in the commit history without security labeling like CVE. I don't want to deal with backporting things for ImageMagick to catch up with the previous security fixes that no one cared to apply in due time earlier. It's just too much. --=-oQlUdBq7wVULZDOl5Y0J Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBea0IACgkQRaix6GvN EKYR8A//TgmbO911vbZQx2hEcDxwxWjSHRIbd8Ororfnm8q5CTbqdS857ArH7/CJ MEu1tOvkgKIzbwZpSrexUaXfEh4f2xLUbDE84r8isowPMbhHiQTEfh5bsOyJnIci rd6kZyDkq7kQiaiyvAX6n9QV3dgtML6jPyDgX+/eiOpO063dKSpTtzhLg7o5baZr AJ/+6hzb0wr5x3+OiCjGCxSmar47Ev2Pszs9JsTkObJXYw7FDQe+IaZce8o/CYTh 9sN9KFUPh05xCO5197dzs8fGV19ejzAQBqPD1S0TGSAJefxIlGOYqvTL060WvQ/l RhZ8t5fjuXK7/ivLZ34ZxS4SgqFGgsS2x8mbCTb1ust824W/MdO2WXJazAdJJ9Ef 7On6N5JjeQAUum2vtp9lhm0mnBJTSUrXOAIQI0mrqbtCJnv2aVn0MyJOBXITi3/q QEoHB+Z9UzeSCgYb8+hn2G5sTaqyAa6melopKFTqL6uI8YUM0xAY/rYuzrx9/4z5 NBZgVa3T6jsGNEEsfy6tct6UdgKLvjUc+2mSBjdtO7glxuU8pY8lo+8hNMTyZlNQ ZlvJ6Rrcv+APrH1QFDkTzKAF6Ex4SI9Qq3GGqoOXGObVnkQwwb585p1QiIQQdpkD SrNrOCFa+ZJ8QLUhEzIiYNQ5c12qfBhQBDMieZ+40JRq4X/hGHo= =Detg -----END PGP SIGNATURE----- --=-oQlUdBq7wVULZDOl5Y0J-- From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 27 09:29:41 2021 Received: (at 47418) by debbugs.gnu.org; 27 Mar 2021 13:29:41 +0000 Received: from localhost ([127.0.0.1]:43562 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ90X-0002H1-HO for submit@debbugs.gnu.org; Sat, 27 Mar 2021 09:29:41 -0400 Received: from world.peace.net ([64.112.178.59]:49084) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ90V-0002Gl-44 for 47418@debbugs.gnu.org; Sat, 27 Mar 2021 09:29:40 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lQ90N-0004yb-Kv; Sat, 27 Mar 2021 09:29:31 -0400 From: Mark H Weaver To: 47418@debbugs.gnu.org Subject: Re: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. In-Reply-To: <20210326195342.14152-1-lle-bout@zaclys.net> References: <20210326195342.14152-1-lle-bout@zaclys.net> Date: Sat, 27 Mar 2021 09:27:54 -0400 Message-ID: <875z1czpxm.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47418 Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) L=C3=A9o Le Bouter via Bug reports for GNU Guix writes: > * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existi= ng > graft. > --- > gnu/local.mk | 1 + > gnu/packages/imagemagick.scm | 3 ++- > .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++ > 3 files changed, 26 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch Your patch looks good to me, but I've just posted an alternative patch set to 'guix-devel' which should enable us to keep ImageMagick up-to-date without grafting, and which fixes this security flaw and more. https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html It's not a big deal, but if you push your patch now, I would need to rebase the patch set on top of it. Mark From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 27 09:31:08 2021 Received: (at 47418) by debbugs.gnu.org; 27 Mar 2021 13:31:08 +0000 Received: from localhost ([127.0.0.1]:43566 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ91v-0002Kb-Se for submit@debbugs.gnu.org; Sat, 27 Mar 2021 09:31:08 -0400 Received: from mail.zaclys.net ([178.33.93.72]:48827) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ91s-0002KD-Nx for 47418@debbugs.gnu.org; Sat, 27 Mar 2021 09:31:06 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12RDUwhF055947 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 27 Mar 2021 14:30:58 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12RDUwhF055947 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616851858; bh=b+Hy7riAtvA8a+qma1sSq0S7DrzLiRNtptqp2Rqu9Qg=; h=Subject:From:To:Date:In-Reply-To:References:From; b=e4aoMS//b8zGVpuF1LJXcQ4WB4UqLqIMO0pDCPy8y32Bd2pihtJpsT2XUMAhkLfW5 ZNQHo4UdFOpXF+rG4AzSlKLFlVmkdS2ka18XrSgu1GD+HEgq/hDKjESm6h//JkLrAa CqF5z8iWjnLHTnBkkcp0BXBpsWLaxwoHa053xlWQ= Message-ID: Subject: Re: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: Mark H Weaver , 47418@debbugs.gnu.org Date: Sat, 27 Mar 2021 14:30:53 +0100 In-Reply-To: <875z1czpxm.fsf@netris.org> References: <20210326195342.14152-1-lle-bout@zaclys.net> <875z1czpxm.fsf@netris.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-wr4TzGWiz3b9Tpb23k0p" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47418 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-wr4TzGWiz3b9Tpb23k0p Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-03-27 at 09:27 -0400, Mark H Weaver wrote: > Your patch looks good to me, but I've just posted an alternative > patch > set to 'guix-devel' which should enable us to keep ImageMagick > up-to-date without grafting, and which fixes this security flaw and > more. >=20 > https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html >=20 > It's not a big deal, but if you push your patch now, I would need to > rebase the patch set on top of it. >=20 > Mark Thank you, let's get your better patch in then close this. --=-wr4TzGWiz3b9Tpb23k0p Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBfM40ACgkQRaix6GvN EKZD3xAAteBJmhqQzJZfoeTqFWkEahJhUtBWY2BgACAQeDhHXPlGKBv9EwNNDT4J eaj3G64ZfuoMBynU/sxa/Djr0WEw9ojSxmaWU4ykorFxAuYC/T3RYwyACayFKo3o qiIaOEzKDoxFKazss4BMJsIffrR8obQWBRlWhFnvVe8+xUCNUgJCxIfeCiGBYpNL w6LXigrm8M3bZVPodNG3pwnzTB9sc2N2+T9AMMx7TtMZnm8LqGod3mrJKY7LwLK2 R84xpV0O6STXm0ixDtbArXa1SYBz4AtRPzULvyns7eQ/q4owVhHfh4XyTUmgjWnk ipiD0mHSE9jq1hwSy4f5EeX5fEXmQ84wNHPsPoiIzuPxqxmh5OGXEg4muqEGJl0+ AQI/rj+krsOryKcSw52B38Qs0jYd61KdJ0Onpdiah3UjA64yJAEo6bUZqYCB52Nz axGNeL+sHRjKAER8VhfqbPvbb4x0LTpwhGvVWMzUgyYUQrYoahXNeE1lcPPAU7ed enHUf6XO+pls9ukbln+CayhPmlGKW5etWgw9/RtDSthouERtWDJZlLT2UvTlv6qg odgnj1R32rQalpE6OESQnLlc4myfJcvQFVzxQInimmNvBGg5srLgz5ZHRlS5lx20 pDF9KebU5YqzsfpI+XX3ZcrQNTXsxQjZwuY2w1jLMJUld8DWNCA= =zpLq -----END PGP SIGNATURE----- --=-wr4TzGWiz3b9Tpb23k0p-- From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 27 20:16:51 2021 Received: (at 47418-done) by debbugs.gnu.org; 28 Mar 2021 00:16:51 +0000 Received: from localhost ([127.0.0.1]:45154 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQJ6p-0005t6-CI for submit@debbugs.gnu.org; Sat, 27 Mar 2021 20:16:51 -0400 Received: from world.peace.net ([64.112.178.59]:50262) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQJ6m-0005sn-0W for 47418-done@debbugs.gnu.org; Sat, 27 Mar 2021 20:16:50 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lQJ6f-0000Z3-Ub; Sat, 27 Mar 2021 20:16:42 -0400 From: Mark H Weaver To: =?utf-8?Q?L=C3=A9o?= Le Bouter , 47418-done@debbugs.gnu.org Subject: Re: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. In-Reply-To: References: <20210326195342.14152-1-lle-bout@zaclys.net> <875z1czpxm.fsf@netris.org> Date: Sat, 27 Mar 2021 20:15:04 -0400 Message-ID: <87eeg0dtgc.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47418-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) L=C3=A9o Le Bouter writes: > Thank you, let's get your better patch in then close this. I've now pushed those patches to 'master'. CVE-2020-27829 is fixed in commit bfc69d5e7c45eac865e231643b58396580afb231, so I'm closing this bug now. Thanks! Mark From unknown Sat Aug 09 15:55:16 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sun, 25 Apr 2021 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator