Created attachment 224860 [details] Upgrade ImageMagick7 to 7.0.11-12 and fix some vulnerabilities Changelog at <https://imagemagick.org/script/changelog.php>. Vulnerabilities fixed: CVE-2020-27829, CVE-2020-29599, CVE-2021-20176, CVE-2021-20241, CVE-2021-20243, CVE-2021-20244, CVE-2021-20245, CVE-2021-20246. Note: ImageMagick6 might be also affected by some of these CVE.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0e7c332de8bbd7100f615c8b07569925f6a2e42c commit 0e7c332de8bbd7100f615c8b07569925f6a2e42c Author: Thierry Thomas <thierry@FreeBSD.org> AuthorDate: 2021-05-13 14:17:39 +0000 Commit: Thierry Thomas <thierry@FreeBSD.org> CommitDate: 2021-05-13 14:43:16 +0000 security/vuxml: declare vulnerabilities for ImageMagick7 PR: 255802 security/vuxml/vuln.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-)
Plz, remove "USES+= compiler:openmp" at least for amd64 and i386. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252379
(In reply to VVD from comment #2) Do not hesitate to replace the proposed patch!
This patch works fine for me on FreeBSD 12.2-RELEASE-p6 r369558 on amd64, but is the new dependency on ffmpeg really needed? Could that be made an option?
(In reply to george from comment #4) The proposed patch has been well tested, and I suggest that we commit it as quick as possible, to fix the vulnerabilities. After that, it will be possible to reorganize the options; Koop, what do you think?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b9e10f61aefb128744fcd0556b93b3e45bb2df1f commit b9e10f61aefb128744fcd0556b93b3e45bb2df1f Author: Thierry Thomas <thierry@FreeBSD.org> AuthorDate: 2021-05-11 21:00:13 +0000 Commit: Thierry Thomas <thierry@FreeBSD.org> CommitDate: 2021-05-27 20:54:09 +0000 graphics/ImageMagick7: upgrade to 7.0.11-12 and fix some vulnerabilities Changelog at <https://imagemagick.org/script/changelog.php>. PR: 255802 Approved by: maintainerâs time-out Security: CVE-2020-27829 Security: CVE-2020-29599 Security: CVE-2021-20176 Security: CVE-2021-20241 Security: CVE-2021-20243 Security: CVE-2021-20244 Security: CVE-2021-20245 Security: CVE-2021-20246 graphics/ImageMagick7/Makefile | 7 +- graphics/ImageMagick7/distinfo | 6 +- graphics/ImageMagick7/pkg-plist | 793 +++------------------------------------- 3 files changed, 54 insertions(+), 752 deletions(-)
Just committed.
Why is there a new dependency on ffmpeg for a graphics library? It can't even be disabled with a config option.
(In reply to Peter Putzer from comment #8) You are right: see PR 256215.