GNU bug report logs - #47418
imagemagick is vulnerable to CVE-2020-27829

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 26 Mar 2021 19:53:02 UTC

Severity: normal

Tags: security

Done: Mark H Weaver <mhw <at> netris.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: Maxime Devos <maximedevos <at> telenet.be>, 47418 <at> debbugs.gnu.org
Subject: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829.
Date: Sat, 27 Mar 2021 00:16:18 +0100

[Message part 1 (text/plain, inline)]
On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote:
> This patch seems about right to me.  However,
> 
> $ guix lint -c cve imagemagick
> gnu/packages/imagemagick.scm:132:2: imagemagick <at> 6.9.12-2g: probably
> vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
> 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-
> 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
> 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-
> 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-
> 27760,
> CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-
> 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
> 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-
> 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-
> 13133,
> CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-
> 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
> 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398,
> CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
> 2018-16750, CVE-2018-20467, CVE-2018-6405
> 
> Did we forget some bugs & patches, or is "guix lint" incorrect here?
> 
> Greetings,
> Maxime

To me, ImageMagick is lagging behind since a long while and we need to
upgrade to the latest version ASAP. Unfortunately we don't seem to be
able to do that since it has lots of dependents and backporting each
and every of these patches is just impossible, also there's way more in
the commit history without security labeling like CVE.

I don't want to deal with backporting things for ImageMagick to catch
up with the previous security fixes that no one cared to apply in due
time earlier. It's just too much.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 107 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.