ImageMagick (Update before next release)

[Bruce Dubbs]

New version.

[ken@…]

Current is 7.1.0-61 from Sunday. Changelog at ​https://github.com/ImageMagick/Website/blob/main/ChangeLog.md - seems to just be bugfixes since 7.1.0-49.

[ken@…]

Updated to 7.1.0-61 in b26ff3c85d3f6abd0a28de2bf38ebc3c63e3abae 11.2-1073

[ken@…]

I've seen a few mentions of ImageMagick CVEs recently, but it is hard to get a rliable source. Yesterday I found ​https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html which is not-exactly reliable (as with other sites, a mix of IM-6.9 and IM-7.0+), and the item marked there as Critical appears to be invalid (not a default option), working as defined. Hovever, some items are valid for 7.0+. Will raise a ticket.

for the future, ChangeLog is now at ​https://github.com/ImageMagick/Website/blob/main/ChangeLog.md

[Bruce Dubbs]

Updating to 7.1.1-15

[ken@…]

Latest version is now 7.1.1-28 from 11th February.

changes are listed at the ChangeLog.md link above. There are links to GHSA security advisories for 7.1.1-24 for corrupt DejaVu images and to test if meta channels exceed max, but the links are dead and no advisories are listed after 7.1.1-13.

It appears ImageMagick is now its own CVE Numbering Authority (CNA) - there were commits in 7.1.1-16 to update SECURITY.md.

Nevertheless, Mitre has recorded a few CVEs raised by RedHat, of which one applies to ImageMagick after 7.1.1-15:

CVE-2023-5341 A heap use-after-free flaw was found in coders/bmp.c Medium - fix is in 7.1.1-19

There were some other CVEs raised by RedHat, but no links to commits at ImageMagick, so perhaps disputed.

I'll take a look at 7.1.1-28

[ken@…]

Updates completed in a series of three commits ending in sha:r12.0-1559-g2864283c1e

[ken@…]

Security Advisory SA-12.0-099 created.