[Bug 2004580] Re: Possible arbitrary file leak
Paulo Flabiano Smorigo
2004580 at bugs.launchpad.net
Thu Mar 16 16:21:38 UTC 2023
For jammy and kinetic, I renamed the patch files as a sequence and added
an additional mitigation from Debian. There is no patch missing from
your list, I did a diff after applying all changes and the result is the
same of your command. No missing patch left.
For focal I also rename the patch, changed as you suggested, and add the
additional mitigation too.
The new packages are available at:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=imagemagick
Can you check if it's ok? About the POC, please send to my email that
it's included in the changelog, please? I'll add it to the integrated
tests we do for the package.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/2004580
Title:
Possible arbitrary file leak
Status in imagemagick package in Ubuntu:
Fix Released
Bug description:
More details can be found here:
https://www.metabaseq.com/imagemagick-zero-days/
Affected versions:
Injection via "-authenticate"
- ImageMagick 6: 6.9.8-1 up to 6.9.11-40
Explotation via MSL:
-ImageMagick 6: 6.9.11-35 up to 6.9.11-40
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2004580/+subscriptions
More information about the foundations-bugs
mailing list