All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/imagemagick: security bump to version 7.1.0-45
@ 2022-08-15 19:19 Fabrice Fontaine
  2022-08-15 19:36 ` Yann E. MORIN
  2022-09-16 21:53 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2022-08-15 19:19 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

- Fix CVE-2022-1114: A heap-use-after-free flaw was found in
  ImageMagick's RelinquishDCMInfo() function of dcm.c file. This
  vulnerability is triggered when an attacker passes a specially crafted
  DICOM image file to ImageMagick for conversion, potentially leading to
  information disclosure and a denial of service.
- Fix CVE-2022-32545: A vulnerability was found in ImageMagick, causing
  an outside the range of representable values of type 'unsigned char'
  at coders/psd.c, when crafted or untrusted input is processed. This
  leads to a negative impact to application availability or other
  problems related to undefined behavior.
- Fix CVE-2022-32546: A vulnerability was found in ImageMagick, causing
  an outside the range of representable values of type 'unsigned long'
  at coders/pcl.c, when crafted or untrusted input is processed. This
  leads to a negative impact to application availability or other
  problems related to undefined behavior.
- Fix CVE-2022-32547: In ImageMagick, there is load of misaligned
  address for type 'double', which requires 8 byte alignment and for
  type 'float', which requires 4 byte alignment at
  MagickCore/property.c. Whenever crafted or untrusted input is
  processed by ImageMagick, this causes a negative impact to application
  availability or other problems related to undefined behavior.
- Update hash of LICENSE (year updated with
  https://github.com/ImageMagick/ImageMagick/commit/80629dfb3fea55eefa2dd8bdd9ca1be341502e16)

https://github.com/ImageMagick/Website/blob/main/ChangeLog.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/imagemagick/imagemagick.hash | 4 ++--
 package/imagemagick/imagemagick.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/imagemagick/imagemagick.hash b/package/imagemagick/imagemagick.hash
index 278becd2ab..ff0f3e26c6 100644
--- a/package/imagemagick/imagemagick.hash
+++ b/package/imagemagick/imagemagick.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  385ca5bd8ce9b37e685779c46868171af949265c9db40067c1c4d7442dbc723e  imagemagick-7.1.0-19.tar.gz
-sha256  040badb77b659e751ea16113490a937e1e01f3f5d32181e966b8982413533fb2  LICENSE
+sha256  3df6ca6dff15a4e8a20b4593c60285a59e38890440494d91a344e5c0e2bb3eec  imagemagick-7.1.0-45.tar.gz
+sha256  8cceeb67d4e783cb63075c7311fdb990fa0369ee80fbd0f481064cd02386ca2d  LICENSE
diff --git a/package/imagemagick/imagemagick.mk b/package/imagemagick/imagemagick.mk
index 64a530c6d2..893606ff01 100644
--- a/package/imagemagick/imagemagick.mk
+++ b/package/imagemagick/imagemagick.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-IMAGEMAGICK_VERSION = 7.1.0-19
+IMAGEMAGICK_VERSION = 7.1.0-45
 IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION))
 IMAGEMAGICK_LICENSE = Apache-2.0
 IMAGEMAGICK_LICENSE_FILES = LICENSE
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/imagemagick: security bump to version 7.1.0-45
  2022-08-15 19:19 [Buildroot] [PATCH 1/1] package/imagemagick: security bump to version 7.1.0-45 Fabrice Fontaine
@ 2022-08-15 19:36 ` Yann E. MORIN
  2022-09-16 21:53 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2022-08-15 19:36 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

Fabrice, All,

On 2022-08-15 21:19 +0200, Fabrice Fontaine spake thusly:
> - Fix CVE-2022-1114: A heap-use-after-free flaw was found in
>   ImageMagick's RelinquishDCMInfo() function of dcm.c file. This
>   vulnerability is triggered when an attacker passes a specially crafted
>   DICOM image file to ImageMagick for conversion, potentially leading to
>   information disclosure and a denial of service.
> - Fix CVE-2022-32545: A vulnerability was found in ImageMagick, causing
>   an outside the range of representable values of type 'unsigned char'
>   at coders/psd.c, when crafted or untrusted input is processed. This
>   leads to a negative impact to application availability or other
>   problems related to undefined behavior.
> - Fix CVE-2022-32546: A vulnerability was found in ImageMagick, causing
>   an outside the range of representable values of type 'unsigned long'
>   at coders/pcl.c, when crafted or untrusted input is processed. This
>   leads to a negative impact to application availability or other
>   problems related to undefined behavior.
> - Fix CVE-2022-32547: In ImageMagick, there is load of misaligned
>   address for type 'double', which requires 8 byte alignment and for
>   type 'float', which requires 4 byte alignment at
>   MagickCore/property.c. Whenever crafted or untrusted input is
>   processed by ImageMagick, this causes a negative impact to application
>   availability or other problems related to undefined behavior.
> - Update hash of LICENSE (year updated with
>   https://github.com/ImageMagick/ImageMagick/commit/80629dfb3fea55eefa2dd8bdd9ca1be341502e16)
> 
> https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/imagemagick/imagemagick.hash | 4 ++--
>  package/imagemagick/imagemagick.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/imagemagick/imagemagick.hash b/package/imagemagick/imagemagick.hash
> index 278becd2ab..ff0f3e26c6 100644
> --- a/package/imagemagick/imagemagick.hash
> +++ b/package/imagemagick/imagemagick.hash
> @@ -1,3 +1,3 @@
>  # Locally computed
> -sha256  385ca5bd8ce9b37e685779c46868171af949265c9db40067c1c4d7442dbc723e  imagemagick-7.1.0-19.tar.gz
> -sha256  040badb77b659e751ea16113490a937e1e01f3f5d32181e966b8982413533fb2  LICENSE
> +sha256  3df6ca6dff15a4e8a20b4593c60285a59e38890440494d91a344e5c0e2bb3eec  imagemagick-7.1.0-45.tar.gz
> +sha256  8cceeb67d4e783cb63075c7311fdb990fa0369ee80fbd0f481064cd02386ca2d  LICENSE
> diff --git a/package/imagemagick/imagemagick.mk b/package/imagemagick/imagemagick.mk
> index 64a530c6d2..893606ff01 100644
> --- a/package/imagemagick/imagemagick.mk
> +++ b/package/imagemagick/imagemagick.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -IMAGEMAGICK_VERSION = 7.1.0-19
> +IMAGEMAGICK_VERSION = 7.1.0-45
>  IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION))
>  IMAGEMAGICK_LICENSE = Apache-2.0
>  IMAGEMAGICK_LICENSE_FILES = LICENSE
> -- 
> 2.35.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/imagemagick: security bump to version 7.1.0-45
  2022-08-15 19:19 [Buildroot] [PATCH 1/1] package/imagemagick: security bump to version 7.1.0-45 Fabrice Fontaine
  2022-08-15 19:36 ` Yann E. MORIN
@ 2022-09-16 21:53 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-09-16 21:53 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > - Fix CVE-2022-1114: A heap-use-after-free flaw was found in
 >   ImageMagick's RelinquishDCMInfo() function of dcm.c file. This
 >   vulnerability is triggered when an attacker passes a specially crafted
 >   DICOM image file to ImageMagick for conversion, potentially leading to
 >   information disclosure and a denial of service.
 > - Fix CVE-2022-32545: A vulnerability was found in ImageMagick, causing
 >   an outside the range of representable values of type 'unsigned char'
 >   at coders/psd.c, when crafted or untrusted input is processed. This
 >   leads to a negative impact to application availability or other
 >   problems related to undefined behavior.
 > - Fix CVE-2022-32546: A vulnerability was found in ImageMagick, causing
 >   an outside the range of representable values of type 'unsigned long'
 >   at coders/pcl.c, when crafted or untrusted input is processed. This
 >   leads to a negative impact to application availability or other
 >   problems related to undefined behavior.
 > - Fix CVE-2022-32547: In ImageMagick, there is load of misaligned
 >   address for type 'double', which requires 8 byte alignment and for
 >   type 'float', which requires 4 byte alignment at
 >   MagickCore/property.c. Whenever crafted or untrusted input is
 >   processed by ImageMagick, this causes a negative impact to application
 >   availability or other problems related to undefined behavior.
 > - Update hash of LICENSE (year updated with
 >   https://github.com/ImageMagick/ImageMagick/commit/80629dfb3fea55eefa2dd8bdd9ca1be341502e16)

 > https://github.com/ImageMagick/Website/blob/main/ChangeLog.md

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.05.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-16 21:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-15 19:19 [Buildroot] [PATCH 1/1] package/imagemagick: security bump to version 7.1.0-45 Fabrice Fontaine
2022-08-15 19:36 ` Yann E. MORIN
2022-09-16 21:53 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.