[Pkg-gmagick-im-team] Bug#964090: Status summary
Ulrike Uhlig
ulrike at debian.org
Tue Mar 2 11:42:30 GMT 2021
Hello!
As I ran into this issue I am giving here a short summary from what I
understand to avoid that others have to re-read everything again:
AFAIU, there are two issues, one is related to Ghostscript, and one to
ImageMagick itself.
Ghostscript
===========
According to https://www.kb.cert.org/vuls/id/332928/ the issue is
addressed in Ghostscript 9.24.
Except for Debian old-old-stable, Debian does ship versions above 9.24:
https://tracker.debian.org/pkg/ghostscript
ImageMagick
===========
Issue described here:
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
This is fixed in ImageMagick 6.9.11 and later, which is available in
Bullseye but not earlier versions of Debian.
Current status reflected there:
https://security-tracker.debian.org/tracker/CVE-2020-29599
- ulrike
More information about the Pkg-gmagick-im-team
mailing list