From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id OPsaFnprXmDzegAAgWs5BA (envelope-from ) for ; Sat, 27 Mar 2021 00:17:14 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id kNL2D3prXmBXXAAAbx9fmQ (envelope-from ) for ; Fri, 26 Mar 2021 23:17:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8BA4B136D8 for ; Sat, 27 Mar 2021 00:17:13 +0100 (CET) Received: from localhost ([::1]:57274 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPvhY-0005pj-HW for larch@yhetil.org; Fri, 26 Mar 2021 19:17:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41556) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPvhO-0005oJ-UI for bug-guix@gnu.org; Fri, 26 Mar 2021 19:17:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59529) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lPvhO-00052V-MW for bug-guix@gnu.org; Fri, 26 Mar 2021 19:17:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lPvhO-00043v-F7 for bug-guix@gnu.org; Fri, 26 Mar 2021 19:17:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 26 Mar 2021 23:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47418 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Maxime Devos , 47418@debbugs.gnu.org Received: via spool by 47418-submit@debbugs.gnu.org id=B47418.161680059115565 (code B ref 47418); Fri, 26 Mar 2021 23:17:02 +0000 Received: (at 47418) by debbugs.gnu.org; 26 Mar 2021 23:16:31 +0000 Received: from localhost ([127.0.0.1]:42842 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPvgt-00042z-F6 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 19:16:31 -0400 Received: from mail.zaclys.net ([178.33.93.72]:54481) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPvgr-00042j-F7 for 47418@debbugs.gnu.org; Fri, 26 Mar 2021 19:16:30 -0400 Received: from [192.168.0.44] (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QNGMwq044633 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 27 Mar 2021 00:16:22 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QNGMwq044633 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616800583; bh=pfFuZJure46wv/q0vzjmf3Wn54yLbS9LyXLQANzcvNI=; h=Subject:From:To:Date:In-Reply-To:References:From; b=gsoW96qGb+LTv4ZdwR8gFKTP+A6XoW+Szow1Z3SbYyMWIDTiAI2HZbLZ5z8QK+zo5 EM0oHw1SxXfM0oBC8N4mzDALul1G0eLbU93uSkyjw7bC9IVYykmB544Rgxb6n84T0i KlkWaE7xJMc9ju7Q7DwHVwmONv0XYMGUC6Oua5YE= Message-ID: <4023b12d389fe22b89f593e4d36e716b6f9b001e.camel@zaclys.net> Date: Sat, 27 Mar 2021 00:16:18 +0100 In-Reply-To: <095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be> References: <20210326195342.14152-1-lle-bout@zaclys.net> <095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-oQlUdBq7wVULZDOl5Y0J" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616800633; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=pfFuZJure46wv/q0vzjmf3Wn54yLbS9LyXLQANzcvNI=; b=N6VQZYRpcYqzoQ4Uclx7JVN4rEMGDIWZegGItpUgdoIvi9xximaCOBum7iWWip5R2ZgcC/ ytkqmwnAAg5Z8vMpeU0Vu+FHgEdA4HSyq3bSt+rOxP3InKY+4moGrIuaE5pD2PZIF0cwPR 6FihqRSvP0qJw8TgIM/EtZq3ulD9pWrDO6/UZ/q5bZbNC67vwdpLYeLSLxrj1J6FZEaMHR R6ZSwxwxq8q0ucsgJlqR0kLlZk6vdY8niH0slHDykQDOBczGtiL3/p+sc0wliN4Gzw4yc9 Z31KO2DDyNycIjcdDTgjHG44/AqKqe86IsiohUsoe0shoqqQm9CFBzomIMT2zQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616800633; a=rsa-sha256; cv=none; b=XvjZqwQzPT7yuRXrN0jLIl4zEzXJBcAlCJF962j27y0g+LgqYGctdms+1eKroWXH6X1hEr tiMmPvRBP/MXmVff/olwNfzSfv/ulM9f54RLbEYeRIpQeSaFtBinxKkVUOHWTNjobPiz8n nHz4ZqXgc8smo4c3IttowAVl+fi8PhMAh+VddQIeTatVYziyc0b7LM2mGdHL/xhzZ/Kb6Y GV0EJ2zcsQLF1VyaqLdc69c85rMm7lyfWcShHqkGixP77gcnkcGyfBMH3g6YxVbZ0DNLmq p5fR6cMNcYdA0aYf2vHyaJn6JkYMC31tShWxMOlqvNtt2FBKRJehktTUVLsJDA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=gsoW96qG; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -5.02 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=gsoW96qG; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 8BA4B136D8 X-Spam-Score: -5.02 X-Migadu-Scanner: scn0.migadu.com X-TUID: br+bx3kvlm3B --=-oQlUdBq7wVULZDOl5Y0J Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote: > This patch seems about right to me. However, >=20 > $ guix lint -c cve imagemagick > gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably > vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE- > 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020- > 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020- > 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020- > 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020- > 27760, > CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE- > 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020- > 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020- > 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019- > 13133, > CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE- > 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019- > 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, > CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE- > 2018-16750, CVE-2018-20467, CVE-2018-6405 >=20 > Did we forget some bugs & patches, or is "guix lint" incorrect here? >=20 > Greetings, > Maxime To me, ImageMagick is lagging behind since a long while and we need to upgrade to the latest version ASAP. Unfortunately we don't seem to be able to do that since it has lots of dependents and backporting each and every of these patches is just impossible, also there's way more in the commit history without security labeling like CVE. I don't want to deal with backporting things for ImageMagick to catch up with the previous security fixes that no one cared to apply in due time earlier. It's just too much. --=-oQlUdBq7wVULZDOl5Y0J Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBea0IACgkQRaix6GvN EKYR8A//TgmbO911vbZQx2hEcDxwxWjSHRIbd8Ororfnm8q5CTbqdS857ArH7/CJ MEu1tOvkgKIzbwZpSrexUaXfEh4f2xLUbDE84r8isowPMbhHiQTEfh5bsOyJnIci rd6kZyDkq7kQiaiyvAX6n9QV3dgtML6jPyDgX+/eiOpO063dKSpTtzhLg7o5baZr AJ/+6hzb0wr5x3+OiCjGCxSmar47Ev2Pszs9JsTkObJXYw7FDQe+IaZce8o/CYTh 9sN9KFUPh05xCO5197dzs8fGV19ejzAQBqPD1S0TGSAJefxIlGOYqvTL060WvQ/l RhZ8t5fjuXK7/ivLZ34ZxS4SgqFGgsS2x8mbCTb1ust824W/MdO2WXJazAdJJ9Ef 7On6N5JjeQAUum2vtp9lhm0mnBJTSUrXOAIQI0mrqbtCJnv2aVn0MyJOBXITi3/q QEoHB+Z9UzeSCgYb8+hn2G5sTaqyAa6melopKFTqL6uI8YUM0xAY/rYuzrx9/4z5 NBZgVa3T6jsGNEEsfy6tct6UdgKLvjUc+2mSBjdtO7glxuU8pY8lo+8hNMTyZlNQ ZlvJ6Rrcv+APrH1QFDkTzKAF6Ex4SI9Qq3GGqoOXGObVnkQwwb585p1QiIQQdpkD SrNrOCFa+ZJ8QLUhEzIiYNQ5c12qfBhQBDMieZ+40JRq4X/hGHo= =Detg -----END PGP SIGNATURE----- --=-oQlUdBq7wVULZDOl5Y0J--