#18204 closed enhancement (fixed)
ImageMagick-7.1.1-12
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
Several security vulnerabilities have been found in ImageMagick-7 : four Medium severity, one High severity which appears to have been fixed in 7.1.1-10 (reported as fix going into beta on 19th May). Current version is 7.1.1-11, with my own choice of (additional) options this seems to work as well as our current 7.1.0-61.
The first of these CVEs I looked at definitely applied to our current version, I'm fairly sure most of the others also apply.
I've just started building a fresh system to measure this and some other forthcoming attractions, hope to get this done in the coming week.
The CVEs are CVE-2023-1289, CVE-2023-1906. CVE-2023-2157, CVE-2023-34151, CVE-2023-34153.
From https://github.com/ImageMagick/Website/blob/main/ChangeLog.md the only thing I noticed re changed possible dependencies was mentions of Oklab which turns out to be a perceptual colorspace https://bottosson.github.io/posts/oklab/ and it appears that IM can now convert sRGB images to this colorspace.
Change History (8)
comment:1 by , 22 months ago
| Summary: | ImageMagick-7.1.0-11 → ImageMagick-7.1.1-12 |
|---|
follow-up: 3 comment:2 by , 22 months ago
Fixes include fixing another uninitialized value and supporting MPO (stereoscopic jpeg) image format.
It looks as if we should configure with '--enable-shared' so that system perl can load the newly built https://github.com/ImageMagick/ImageMagick/issues/6422 and https://github.com/ImageMagick/ImageMagick/commit/2cc67c37aa03cb574f317793ad27f7736cba140d.
follow-up: 4 comment:3 by , 22 months ago
Replying to ken@…:
It looks as if we should configure with '--enable-shared' so that system perl can load the newly built https://github.com/ImageMagick/ImageMagick/issues/6422 and https://github.com/ImageMagick/ImageMagick/commit/2cc67c37aa03cb574f317793ad27f7736cba140d.
OTOH, perhaps our existing --disable-static might already do that ? Another thing to test.
comment:4 by , 22 months ago
Replying to ken@…:
Replying to ken@…:
It looks as if we should configure with '--enable-shared' so that system perl can load the newly built https://github.com/ImageMagick/ImageMagick/issues/6422 and https://github.com/ImageMagick/ImageMagick/commit/2cc67c37aa03cb574f317793ad27f7736cba140d.
OTOH, perhaps our existing --disable-static might already do that ? Another thing to test.
Confirmed that --disable-static provides --enable-shared, no change to instructions needed.
comment:5 by , 22 months ago
For processing raw photos (e.g. in identify or display) it seemed that of all the recent format examples I accumulated in the past 10+ years when looking at possible camera purchases, a few (leica rwl files) do not have a delegate, the remaining files (canon cr2, fuji raf, leica dng, nikon nef and nrw, olympus orf, panasonic rw2, pentax pef, sony arw) ALL need ufraw-batch as a delegate. This SHOULD be a runtime delegate, I'm currently on an older system where IM used to work for at least some of these, but now it seems to be using ufraw-batch to convert the images to 16-bit png, but then tries to open a non-existent /tmp 'ppm' image (a valid format for ufraw).
On the one image where I've tried this after reinstating ufraw-batch it *did* create a valid png image with the same basename. I'm 99% certain I could open my own rw2 and orf images with 7.1.1-11, so I now think 7.1.1-12 seems to be buggy (not the first time!).
There is a further problem with that, ufraw-batch is from the old ufraw fork on github, that has not been updated in years. I reinstated a git version at some time in the past, but that has broken with exiv2-0.28 and I am unable to fix it. There are patches for the nufraw fork to allow that to build (many of the same errors from exiv2, but ufraw hasd at least one other). On my new system I've tried symlinking ufraw-batch to nufraw-batch, but I do not yet know if that will work, and I need to get a properly working build (maybe 7.1.1-11) on the old system where I have a ufraw-batch before booting the new system to test it.
I'm also unsure what libraw provides here (looks at configure, swears loud and long). It looks as if --with-libraw=yes needs to be specified to use it : /usr/lib/ImageMagick-7.1.1/modules-Q16HDRI/coders/dng.so will then link to the multithread libraw_r.so.NN.
That works in 7.1.12 on my old system with 7.1.1-12 rebuilt and ufraw-batch unavailable: All my example raw files except leica rwl now work with ImageMagick. If I ever need to use those I can do what I do when adjusting my own images: 'nufraw --out-type=png --out-depth=16 --clip=film filename.typ'. LibRaw is a delegate library, preferred to delegate programs so I'm now tending towards dropping the ufraw dependency because KibRaw is preferred, can handle most files, and original ufraw is now broken by exiv2.
If anyone else needs nufraw, see Arch (they call it gimp-nufraw) for patches. I don't use cfitsio nor lensfun - tried lensfun using the Arch instructions 4½ years ago, nufraw crashed and there was no option to compile nufraw without lensfun whilst lensfun was present.
Will boot the new system to measure this, somewhen.
comment:7 by , 22 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Security Advisory SA 11.3-049
Now 7.1.1-12