[Pkg-gmagick-im-team] Bug#1032998: imagemagick: font issue since 8:6.9.10.23+dfsg-2.1+deb10u2
Maxime Besson
maxime.besson at worteks.com
Wed Mar 15 14:36:46 GMT 2023
Package: imagemagick
Version: 8:6.9.10.23+dfsg-2.1+deb10u2
Severity: normal
Dear Maintainer,
After updating to 8:6.9.10.23+dfsg-2.1+deb10u2, libgd-securityimage-perl
does not work anymore because of the CVE-2022-44267 and CVE-2022-44268
mitigation:
<policy domain="path" rights="none" pattern="/etc/*" />
Removing this line from /etc/ImageMagick-6/policy.xml restores correct
hebavior.
Here is a test script that tries to generate a Captcha
use GD::SecurityImage use_magick => 1;
my $image = GD::SecurityImage->new(
width => 200,
height => 100,
lines => 4,
gd_font => 'Giant',
scramble => 1,
rndmax => 10,
);
$image->random;
$image->create( 'normal', 'default', "#403030", "#FF644B");
print $image->out( force => 'png' );
The update breaks usage of fonts, and causes warnings to be printed, and
the image to be missing any text (which is bad for a Captcha)
, likely due to the fact that font configuration files for ImageMagick
are in /etc
-- Package-specific info:
ImageMagick program version
---------------------------
-- System Information:
Debian Release: 10.13
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-0.deb11.6-amd64 (SMP w/6 CPU cores; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
-- Configuration Files:
/etc/ImageMagick-6/policy.xml changed [not included]
-- no debconf information
More information about the Pkg-gmagick-im-team
mailing list