GNU bug report logs

#47418 imagemagick is vulnerable to CVE-2020-27829

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #13 received at 47418@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47418) by debbugs.gnu.org; 26 Mar 2021 23:12:23 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 19:12:23 2021
Received: from localhost ([127.0.0.1]:42836 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lPvcs-0003v6-U5
	for submit@debbugs.gnu.org; Fri, 26 Mar 2021 19:12:23 -0400
Received: from xavier.telenet-ops.be ([195.130.132.52]:44584)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@telenet.be>) id 1lPvcq-0003uu-FF
 for 47418@debbugs.gnu.org; Fri, 26 Mar 2021 19:12:21 -0400
Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d])
 by xavier.telenet-ops.be with bizsmtp
 id lBCG240050mfAB401BCHll; Sat, 27 Mar 2021 00:12:18 +0100
Message-ID: <095ec340cf07cbb96d5dc7f53ca4b47b8ec1525d.camel@telenet.be>
Subject: Re: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829.
From: Maxime Devos <maximedevos@telenet.be>
To: Léo Le Bouter <lle-bout@zaclys.net>, 
 47418@debbugs.gnu.org
Date: Sat, 27 Mar 2021 00:12:11 +0100
In-Reply-To: <20210326195342.14152-1-lle-bout@zaclys.net>
References: <e3478c8a057c33edc40dff562106807e883cef99.camel@zaclys.net>
 <20210326195342.14152-1-lle-bout@zaclys.net>
Content-Type: multipart/signed; micalg="pgp-sha256";
 protocol="application/pgp-signature"; boundary="=-KCC0WIkQXJY0g82hgkOR"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1616800338; bh=P6VHVHR6Ipa0u5ItqVb8KsTIlJ9r5tiFYC43SgicGOg=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=jn1HvfgdzfOTkfk9AvS1d5aGfaF769lmKHoGZp0VdQbMrw/nVYbNBXFPXwL9kiSgY
 tvTkkIkWZw0kGMV4gDZ/iWfAGwkRgmSefIPHpJF0C2bJvRivtbXl/ADzUoC/sP8Ple
 nsCKV1HsLXrbEaSBrSNS3XwZd6bZ8BYRhkOIkwfmRA29nSIGaQDK1Tz4t/zTwPrv2N
 ENPYeRDAtd8DwVMK0sG3e/sgcnJFAoa/qvXmwuuxEudPFR46KdT377vHjUwZibC5iY
 PQGtLGDZmsGeHgdK017mG48wCwgWpCOWyqfvxsDZbITfjzns7DdySYP5hjGUL5Syil
 PdXUvI/FugkCw==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47418
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
This patch seems about right to me.  However,

$ guix lint -c cve imagemagick
gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-
2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-
27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760,
CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-
27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-13133,
CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-
7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-
2018-16750, CVE-2018-20467, CVE-2018-6405

Did we forget some bugs & patches, or is "guix lint" incorrect here?

Greetings,
Maxime

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 03:23:50 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.