Bug 219497 - graphics/ImageMagick: Upgrade to recent version (v6.9.8-6) - current(v6.9.6-4) is vulnerable
Summary: graphics/ImageMagick: Upgrade to recent version (v6.9.8-6) - current(v6.9.6-4...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Koop Mast
URL:
Keywords:
: 219565 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-05-24 08:12 UTC by Dani I.
Modified: 2017-05-31 09:01 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (kwm)
i.dani: maintainer-feedback? (secteam)


Attachments
svn diff for graphics/ImageMagick (2.85 KB, patch)
2017-05-25 21:03 UTC, Bernard Spil
brnrd: maintainer-approval?
Details | Diff
security/vuxml: Fix uncorrect naming of ImageMagick and add v7 to vulnerable too (732 bytes, patch)
2017-05-29 06:42 UTC, Dani I.
i.dani: maintainer-approval? (brnrd)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dani I. 2017-05-24 08:12:50 UTC
The current version 6(legacy version - https://legacy.imagemagick.org/script/index.php), avilable for FreeBSD, has multiple vulnerabilities.

See here: https://www.cvedetails.com/vulnerability-list/vendor_id-1749/Imagemagick.html

Please also see: http://thehackernews.com/2017/05/yahoo-imagemagick-hack.html

Which has been fixed in the current version(v6.9.8-6):
http://git.imagemagick.org/repos/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

Available versions upstream: http://git.imagemagick.org/repos/ImageMagick/tags
Comment 1 commit-hook freebsd_committer freebsd_triage 2017-05-25 20:52:10 UTC
A commit references this bug:

Author: brnrd
Date: Thu May 25 20:51:49 UTC 2017
New revision: 441717
URL: https://svnweb.freebsd.org/changeset/ports/441717

Log:
  security/vuxml: Document ImageMagick vulnerabilities

  PR:		219497
  Reported by:	dani <i.dani@outlook.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Bernard Spil freebsd_committer freebsd_triage 2017-05-25 21:03:03 UTC
Created attachment 182914 [details]
svn diff for graphics/ImageMagick

graphics/ImageMagick: Update to 6.9.8.6

 - Update to 6.9.8-6 incl security fixes
 - Fix plist issues

PR: 219497
MFH: 2017Q2
Security: 50776801-4183-11e7-b291-b499baebfeaf
Comment 3 Koop Mast freebsd_committer freebsd_triage 2017-05-26 00:15:32 UTC
I will commit the update tomorrow. I had my own patch already, and was testing it in poudriere. As much as I like, I don't think secteam will be happy with a straight 1:1 MFH due to the shared library bumps....
Comment 4 commit-hook freebsd_committer freebsd_triage 2017-05-26 08:20:28 UTC
A commit references this bug:

Author: kwm
Date: Fri May 26 08:19:38 UTC 2017
New revision: 441760
URL: https://svnweb.freebsd.org/changeset/ports/441760

Log:
  Update ImageMagick to 6.9.8.6.

  PR:		219497
  Security:	50776801-4183-11e7-b291-b499baebfeaf

Changes:
  head/graphics/ImageMagick/Makefile
  head/graphics/ImageMagick/distinfo
  head/graphics/ImageMagick/pkg-plist
  head/graphics/ImageMagick-nox11/Makefile
Comment 5 Koop Mast freebsd_committer freebsd_triage 2017-05-26 08:26:54 UTC
*** Bug 219565 has been marked as a duplicate of this bug. ***
Comment 6 Dani I. 2017-05-29 06:42:19 UTC
Created attachment 183027 [details]
security/vuxml: Fix uncorrect naming of ImageMagick and add v7 to vulnerable too

Use the same name as for the vulnerabilities befor:
-> https://www.vuxml.org/freebsd/pkg-ImageMagick.html

v7 is also vulnerable -> See here: bug #219627
Comment 7 commit-hook freebsd_committer freebsd_triage 2017-05-30 08:02:23 UTC
A commit references this bug:

Author: brnrd
Date: Tue May 30 08:01:34 UTC 2017
New revision: 442053
URL: https://svnweb.freebsd.org/changeset/ports/442053

Log:
  security/vuxml: Fix latest ImageMagick entry

   - Fix case in pkgname
   - Add version 7
   - add -nox pkgnamesuffix

  PR:		219497
  Submitted by:	Dani <i.dani@outlook.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Bernard Spil freebsd_committer freebsd_triage 2017-05-30 08:03:06 UTC
As the wiki says when updating a page:

Your attention to detail is appreciated!

Thanks Dani!
Comment 9 Dani I. 2017-05-30 09:33:37 UTC
(In reply to Bernard Spil from comment #8)

You're very welcome!
Enjoy the nice weather and greetings from switzerland,
Dani
Comment 10 Fabiano Sidler 2017-05-30 15:08:01 UTC
Please still MT2017Q2! ;)
Comment 11 commit-hook freebsd_committer freebsd_triage 2017-05-31 09:01:05 UTC
A commit references this bug:

Author: kwm
Date: Wed May 31 09:00:33 UTC 2017
New revision: 442142
URL: https://svnweb.freebsd.org/changeset/ports/442142

Log:
  Manualy backport CVE patches, due to shared library bump in ImageMagick.

  PR:		219497
  Approved by:	ports-secteam@ (feld@)
  Security:	50776801-4183-11e7-b291-b499baebfeaf

Changes:
  branches/2017Q2/graphics/ImageMagick/Makefile
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5506
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5507
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5508
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5509
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5510
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5511
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6497
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6498
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6499
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6500
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6501
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6502
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7275
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7606
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7619
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7941
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7942
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7943
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8343
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8344
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8345
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8346
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8347
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8348
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8349
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8350
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8351
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8352
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8353
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8354
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8355
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8356
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8357
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8765
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8830
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9141
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9142
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9143
  branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9144