ImageMagick security update
|Reported by:||Owned by:|
Reading lwn.net, I noticed that mageia had updated their 'stable' version of IM to 7.0.10-55 as a result of things noticed at ubuntu (mageia were previously on 7.0.8). Most of those things were already fixed in our current version (7.0.10-27), but the following are newer:
CVE-2020-27560 division by zero may cause DoS, fixed in -35. For most people, that is minor - unless you use IM to convert or mogrify uploaded images on your server.
ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.
That one has a rating of 'high' (for multi-user systems)
All versions of 7.0.10 seem to be available (unlike in the past when some versions were removed), changelog is at [https://imagemagick.org/script/changelog.php ] and on the face of it the latest release has extra fixes.
I was going to hold fire on this until I'd tested it and was ready to update, but I've just had to raise two issues about tests/validate, so the fact I'm looking at this is now public knowledge.
At the moment I have not started my "acceptance" testing for -57. I can say that it builds, and passes make check, with the current instructions (and the build is a bit smaller), but I do not yet know if I will find this version to be good enough - at this point, reverting to an older version (-40 or newer) may be better, or it might be, as I hope, that the validation suite has not caught up with other internal changes and everything does actually work ok.