From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id oLy7HmYzX2CbUQAAgWs5BA (envelope-from ) for ; Sat, 27 Mar 2021 14:30:14 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id AD6zGGYzX2DgNwAA1q6Kng (envelope-from ) for ; Sat, 27 Mar 2021 13:30:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E740926337 for ; Sat, 27 Mar 2021 14:30:13 +0100 (CET) Received: from localhost ([::1]:40704 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQ911-0004Yk-Ez for larch@yhetil.org; Sat, 27 Mar 2021 09:30:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52540) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQ90t-0004Ye-LF for bug-guix@gnu.org; Sat, 27 Mar 2021 09:30:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60249) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lQ90t-0005PZ-E0 for bug-guix@gnu.org; Sat, 27 Mar 2021 09:30:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lQ90t-0002Hx-9k for bug-guix@gnu.org; Sat, 27 Mar 2021 09:30:03 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 27 Mar 2021 13:30:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47418 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47418@debbugs.gnu.org Received: via spool by 47418-submit@debbugs.gnu.org id=B47418.16168517818747 (code B ref 47418); Sat, 27 Mar 2021 13:30:03 +0000 Received: (at 47418) by debbugs.gnu.org; 27 Mar 2021 13:29:41 +0000 Received: from localhost ([127.0.0.1]:43562 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ90X-0002H1-HO for submit@debbugs.gnu.org; Sat, 27 Mar 2021 09:29:41 -0400 Received: from world.peace.net ([64.112.178.59]:49084) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ90V-0002Gl-44 for 47418@debbugs.gnu.org; Sat, 27 Mar 2021 09:29:40 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lQ90N-0004yb-Kv; Sat, 27 Mar 2021 09:29:31 -0400 From: Mark H Weaver In-Reply-To: <20210326195342.14152-1-lle-bout@zaclys.net> References: <20210326195342.14152-1-lle-bout@zaclys.net> Date: Sat, 27 Mar 2021 09:27:54 -0400 Message-ID: <875z1czpxm.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616851814; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=X35UK7IWjNh38SRld8nEw2lCVSuJtvm543ktXzxbGDQ=; b=eXN3D+P4+bd4YJLbkPxYTcpd/3G9m+i4G6ElSXadkI1SCSsHjmY4Wpb+KjzXJ84/QIo0Do T2+zbW9aS6z5AStIbnxxhFIomigR7zN4zDMJSQV91/3925yfr+UEYiSbm9VtZ/swBb0c8n BhTdZI/mOc8MbYZB9JqRm6rGUfkDGBAuOLOorjiu8bjuV5Grl54OZqrlonl3TLb+wmiLuG BJ1n+vdGIGt2mDr41fBStH2XM9SQk4HhECeN9NkT/38zsySV/DkxyylMbvbyxdKCyqZFtZ +9IWFusno9ngDGIUOFMH3RNZBBd62OcxhVLEe4SWF9nc70naFp8Lq1RxDG/Mdw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616851814; a=rsa-sha256; cv=none; b=GbfxLAzCbR3ZO9ArBjeDpnCtiolWY55121pEW+0n61gwfYgML0+RwzkYNxqS75oafP1OGx Hnrt2Iu+F2Ql8g5fYH7Jep+3p/DxbbP0r/8iYOkQGw/dxloJnq3bR6gz+KsYqeJ+wmHwWT wVzniuo4afBG3auaLVFU3+p6fXqE0umnNb/dwndTg0ySMC1S9YVPu0cgMneOnsKDWAC8gI b2/ipxE41aTA77Vy1xYjQgn7PrYQZdXp0RE6a0oSX/zeQipCRFdvbhwPiQb4wIQ93VMhnL PjUoLFCqPcvkqDFYfpZpBBLuXNx24Y4o1ekxpli7Sta4wVjmsyHkEZz/MvM4yQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -0.92 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: E740926337 X-Spam-Score: -0.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: A1IvNV4zcgDa L=C3=A9o Le Bouter via Bug reports for GNU Guix writes: > * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existi= ng > graft. > --- > gnu/local.mk | 1 + > gnu/packages/imagemagick.scm | 3 ++- > .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++ > 3 files changed, 26 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch Your patch looks good to me, but I've just posted an alternative patch set to 'guix-devel' which should enable us to keep ImageMagick up-to-date without grafting, and which fixes this security flaw and more. https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html It's not a big deal, but if you push your patch now, I would need to rebase the patch set on top of it. Mark