[Pkg-gmagick-im-team] Bug#1070340: imagemagick: Bug CVE-2023-34151 was not properly closed in imagemagick from Bookworm for mvg

Sergei Semin syominsergey at gmail.com
Fri May 3 22:16:31 BST 2024


Source: imagemagick
Version: 8:6.9.11.60+dfsg-1.6+deb12u1
Severity: important
Tags: security upstream
X-Debbugs-Cc: syominsergey at gmail.com, Debian Security Team <team at security.debian.org>

Hello!
Bug CVE-2023-34151 was not properly closed in imagemagick from Bookworm for mvg.
Version of imagemagick is 8:6.9.11.60+dfsg-1.6+deb12u1.
You can see instructions how to reproduce it here:
https://docs.google.com/document/d/1zjM5MvfFYC317PEPY4_4WRi0hOdpM766FyqpvOmeE90/edit?usp=sharing
I have discussed this problem with upstream developers here:
https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2063607226
They approved and fixed bug for imagemagick7, but for some reasons they didn't approve bug for imagemagick6. But I think it is still exists and could be reproduced in Debian Bookworm environment as described.
p.s. I tried to send message to 1036999 at bugs.debian.org, but I received error '550 Unknown or archived bug', so I decided to open new bug.


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-20-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled



More information about the Pkg-gmagick-im-team mailing list