ImageMagick security update

[ken@…]

Reading lwn.net, I noticed that mageia had updated their 'stable' version of IM to 7.0.10-55 as a result of things noticed at ubuntu (mageia were previously on 7.0.8). Most of those things were already fixed in our current version (7.0.10-27), but the following are newer:

CVE-2020-27560 division by zero may cause DoS, fixed in -35. For most people, that is minor - unless you use IM to convert or mogrify uploaded images on your server.

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.

That one has a rating of 'high' (for multi-user systems)

All versions of 7.0.10 seem to be available (unlike in the past when some versions were removed), changelog is at [​https://imagemagick.org/script/changelog.php ] and on the face of it the latest release has extra fixes.

I was going to hold fire on this until I'd tested it and was ready to update, but I've just had to raise two issues about tests/validate, so the fact I'm looking at this is now public knowledge.

At the moment I have not started my "acceptance" testing for -57. I can say that it builds, and passes make check, with the current instructions (and the build is a bit smaller), but I do not yet know if I will find this version to be good enough - at this point, reverting to an older version (-40 or newer) may be better, or it might be, as I hope, that the validation suite has not caught up with other internal changes and everything does actually work ok.

[ken@…]

Still running my own 'acceptance tests', but looking good so far. I've also gone back to tests/validate : on rerun no errors and no messages about image coder signature mismatch.

[ken@…]

r24111