GNU bug report logs - #47418
imagemagick is vulnerable to CVE-2020-27829

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 26 Mar 2021 19:53:02 UTC

Severity: normal

Tags: security

Done: Mark H Weaver <mhw <at> netris.org>

Bug is archived. No further changes may be made.

Full log

Message #19 received at 47418 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: 47418 <at> debbugs.gnu.org
Cc: Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: Re: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829.
Date: Sat, 27 Mar 2021 09:27:54 -0400

Léo Le Bouter via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:

> * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch.
> * gnu/local.mk (dist_patch_DATA): Register it.
> * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existing
> graft.
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/imagemagick.scm                  |  3 ++-
>  .../patches/imagemagick-CVE-2020-27829.patch  | 23 +++++++++++++++++++
>  3 files changed, 26 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch

Your patch looks good to me, but I've just posted an alternative patch
set to 'guix-devel' which should enable us to keep ImageMagick
up-to-date without grafting, and which fixes this security flaw and
more.

  https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html

It's not a big deal, but if you push your patch now, I would need to
rebase the patch set on top of it.

      Mark
This bug report was last modified 4 years and 107 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.