From: "Léo Le Bouter via Bug reports for GNU Guix" <bug-guix@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>, 47418@debbugs.gnu.org
Subject: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829.
Date: Sat, 27 Mar 2021 00:16:18 +0100 [thread overview]
Message-ID: <4023b12d389fe22b89f593e4d36e716b6f9b001e.camel@zaclys.net> (raw)
In-Reply-To: <095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be>
[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]
On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote:
> This patch seems about right to me. However,
>
> $ guix lint -c cve imagemagick
> gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably
> vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
> 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-
> 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
> 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-
> 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-
> 27760,
> CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-
> 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
> 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-
> 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-
> 13133,
> CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-
> 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
> 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398,
> CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
> 2018-16750, CVE-2018-20467, CVE-2018-6405
>
> Did we forget some bugs & patches, or is "guix lint" incorrect here?
>
> Greetings,
> Maxime
To me, ImageMagick is lagging behind since a long while and we need to
upgrade to the latest version ASAP. Unfortunately we don't seem to be
able to do that since it has lots of dependents and backporting each
and every of these patches is just impossible, also there's way more in
the commit history without security labeling like CVE.
I don't want to deal with backporting things for ImageMagick to catch
up with the previous security fixes that no one cared to apply in due
time earlier. It's just too much.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-03-26 23:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-26 19:52 bug#47418: imagemagick is vulnerable to CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix
2021-03-26 19:53 ` bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829 Léo Le Bouter via Bug reports for GNU Guix
2021-03-26 23:12 ` Maxime Devos
2021-03-26 23:16 ` Léo Le Bouter via Bug reports for GNU Guix [this message]
2021-03-27 13:27 ` Mark H Weaver
2021-03-27 13:30 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-28 0:15 ` Mark H Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4023b12d389fe22b89f593e4d36e716b6f9b001e.camel@zaclys.net \
--to=bug-guix@gnu.org \
--cc=47418@debbugs.gnu.org \
--cc=lle-bout@zaclys.net \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).