[Pkg-gmagick-im-team] Bug#1070340: Patch to fix CVE-2023-34151 in mvg for imagemagick_6.9.10.23+dfsg-2.1+deb10u7 from Debian Buster
Сергей Сёмин
syominsergey at gmail.com
Tue May 14 13:38:05 BST 2024
Hello!
Upstream developers of ImageMagick6 fixed CVE-2023-34151 for mvg after all.
See more info here:
https://github.com/ImageMagick/ImageMagick/issues/6341#issuecomment-2108156142
I discovered final list of commits fixing problem:
-
https://github.com/ImageMagick/ImageMagick6/commit/75ebd9975f6ba8106ec15a6b3e6ba95f4c14e117
-
https://github.com/ImageMagick/ImageMagick6/commit/b72508c8fce196cd031856574c202490be830649
-
https://github.com/ImageMagick/ImageMagick6/commit/88789966667b748f14a904f8c9122274810e8a3e
-
https://github.com/ImageMagick/ImageMagick6/commit/bc5ac19bd93895e5c6158aad0d8e49a0c50b0ebb
-
https://github.com/ImageMagick/ImageMagick6/commit/3252d4771ff1142888ba83c439588969fcea98e4
-
https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9
And this is also useful to make applying of these commits to version
from Debian Buster easier:
-
https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9
I squoshed them, slightly adopted to make applicable to target version of
imagemagick and finally prepared this patch suitable for
imagemagick_6.9.10.23+dfsg-2.1+deb10u7 from Debian Buster:
https://pastila.nl/?001caded/fa33173a3374db4c55ab654d3e75d668#ZqwgZatwpOmWAtcWUs6QAA==
I checked, that after application of this patch to
imagemagick_6.9.10.23+dfsg-2.1+deb10u7 bug CVE-2023-34151 is not
reproducible - there is no error "runtime error: 5e+26 is outside the range
of representable values of type 'long unsigned int'" with file piechart.mvg.
Hope my patch compiled from commits from upstream will be helpful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20240514/05d26edb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_CVE-2023-34151_for_mvg_in_imagemagick_6.9.10.23+dfsg-2.1+deb10u7.patch
Type: text/x-patch
Size: 3185 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20240514/05d26edb/attachment.bin>
More information about the Pkg-gmagick-im-team
mailing list