Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: cactus on September 09, 2006, 10:30:43 PM

Title: Newer ImageMagick version than in base repository?
Post by: cactus on September 09, 2006, 10:30:43 PM

Has someone installed a newer ImageMagick version (6.2.2.3 or higher) than the one in the base repository (6.0.7) as this has a vulnerability as stated by my gallery2 installation:

Quote

Version

ImageMagick 6.0.7

Warning: This version of ImageMagick has a known vulnerability that can be exploited to cause infinite loops. You may wish to upgrade. This determination may be inaccurate for Debian.

It links to the National Vulnerability Site (http://) which states:

Quote from: "[url=http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-1739

Vulnerability Summary CVE-2005-1739[/url]"]The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask.

Title: Newer ImageMagick version than in base repository?
Post by: crazybob on September 10, 2006, 01:04:31 AM

Did you notify the security team at security@contribs.org ?
Never mind, I just did it myself

Bob

Title: Newer ImageMagick version than in base repository?
Post by: cactus on September 10, 2006, 10:02:36 AM

Quote from: "crazybob"

Did you notify the security team at security@contribs.org ?
Never mind, I just did it myself

Bob

No did not do so... Thanks for reporting it to them.

Title: Newer ImageMagick version than in base repository?
Post by: gregswallow on September 11, 2006, 08:59:41 PM

* Thu May 26 2005  <mclasen@redhat.com> - 6.0.7.1-12
- fix a denial of service in the xwd coder (#158790, CAN-2005-1739)

As long as you have this version or newer, you are ok.

It's an rpm from CentOS by the way, not part of SME7.