[Pkg-gmagick-im-team] Bug#1032998: imagemagick: font issue since 8:

Maxime Besson maxime.besson at worteks.com
Wed Mar 15 14:36:46 GMT 2023

Package: imagemagick
Version: 8:
Severity: normal

Dear Maintainer,

After updating to 8:, libgd-securityimage-perl
does not work anymore because of the CVE-2022-44267 and CVE-2022-44268

	<policy domain="path" rights="none" pattern="/etc/*" />

Removing this line from /etc/ImageMagick-6/policy.xml restores correct

Here is a test script that tries to generate a Captcha

    use GD::SecurityImage use_magick => 1;

    my $image = GD::SecurityImage->new(
        width    => 200,
        height   => 100,
        lines    => 4,
	gd_font  => 'Giant',
        scramble => 1,
        rndmax   => 10,
    $image->create( 'normal', 'default', "#403030", "#FF644B");
    print $image->out( force => 'png' );

The update breaks usage of fonts, and causes warnings to be printed, and
the image to be missing any text (which is bad for a Captcha)
, likely due to the fact that font configuration files for ImageMagick
are in /etc

-- Package-specific info:
ImageMagick program version

-- System Information:
Debian Release: 10.13
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.0.0-0.deb11.6-amd64 (SMP w/6 CPU cores; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

-- Configuration Files:
/etc/ImageMagick-6/policy.xml changed [not included]

-- no debconf information

More information about the Pkg-gmagick-im-team mailing list