#18204 closed enhancement (fixed)
ImageMagick-7.1.1-12
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
Several security vulnerabilities have been found in ImageMagick-7 : four Medium severity, one High severity which appears to have been fixed in 7.1.1-10 (reported as fix going into beta on 19th May). Current version is 7.1.1-11, with my own choice of (additional) options this seems to work as well as our current 7.1.0-61.
The first of these CVEs I looked at definitely applied to our current version, I'm fairly sure most of the others also apply.
I've just started building a fresh system to measure this and some other forthcoming attractions, hope to get this done in the coming week.
The CVEs are CVE-2023-1289, CVE-2023-1906. CVE-2023-2157, CVE-2023-34151, CVE-2023-34153.
From https://github.com/ImageMagick/Website/blob/main/ChangeLog.md the only thing I noticed re changed possible dependencies was mentions of Oklab which turns out to be a perceptual colorspace https://bottosson.github.io/posts/oklab/ and it appears that IM can now convert sRGB images to this colorspace.
Change History (8)
comment:1 by , 21 months ago
| Summary: | ImageMagick-7.1.0-11 → ImageMagick-7.1.1-12 |
|---|
follow-up: 3 comment:2 by , 21 months ago
Fixes include fixing another uninitialized value and supporting MPO (stereoscopic jpeg) image format.
It looks as if we should configure with '--enable-shared' so that system perl can load the newly built https://github.com/ImageMagick/ImageMagick/issues/6422 and https://github.com/ImageMagick/ImageMagick/commit/2cc67c37aa03cb574f317793ad27f7736cba140d.
follow-up: 4 comment:3 by , 21 months ago
Replying to ken@…:
It looks as if we should configure with '--enable-shared' so that system perl can load the newly built https://github.com/ImageMagick/ImageMagick/issues/6422 and https://github.com/ImageMagick/ImageMagick/commit/2cc67c37aa03cb574f317793ad27f7736cba140d.
OTOH, perhaps our existing --disable-static might already do that ? Another thing to test.
comment:4 by , 21 months ago
Replying to ken@…:
Replying to ken@…:
It looks as if we should configure with '--enable-shared' so that system perl can load the newly built https://github.com/ImageMagick/ImageMagick/issues/6422 and https://github.com/ImageMagick/ImageMagick/commit/2cc67c37aa03cb574f317793ad27f7736cba140d.
OTOH, perhaps our existing --disable-static might already do that ? Another thing to test.
Confirmed that --disable-static provides --enable-shared, no change to instructions needed.
comment:5 by , 21 months ago
Edit: Remove *most* of what I originally wrote, it appears I must have configured using --with-raw=no while trying to understand what libraw did, and also it seems both 7.1.1-11 and 7.1.1-12 will (in a default build with libraw_r available and not specifying anything) use that as the delegate library - it will be linked from 7.1.1/modules-Q16HDRI/coders/dng.so to the multithread libraw_r.so.NN.
In the absence of libraw_r being linked from that solib, but with (old) ufraw (which no-longer compiles following the latest exiv changes), ufraw-batch in both 7.1.1-11 and 7.1.1-12 seems to have broken since ImageMagick asks for a 16-bit png but then tries to open a ppm of the same temporary name (although the png actually exists).
Since libraw_r can do the job, no point in mentioning ufraw any more, nor in providing a hint about nufraw.
For the leica rwl examples I had, renaming them to either raw or rw2 (synonyms in ImageMagick's coders/dng.h) allows them to be processed by ImageMagick.
comment:7 by , 21 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Security Advisory SA 11.3-049
Now 7.1.1-12