Bug 255802 - graphics/ImageMagick7: upgrade to 7.0.11-12 and fix some vulnerabilities
Summary: graphics/ImageMagick7: upgrade to 7.0.11-12 and fix some vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Koop Mast
URL: https://imagemagick.org/script/change...
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-05-11 21:11 UTC by Thierry Thomas
Modified: 2021-05-28 08:22 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (kwm)


Attachments
Upgrade ImageMagick7 to 7.0.11-12 and fix some vulnerabilities (63.57 KB, patch)
2021-05-11 21:11 UTC, Thierry Thomas
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Thomas freebsd_committer 2021-05-11 21:11:31 UTC
Created attachment 224860 [details]
Upgrade ImageMagick7 to 7.0.11-12 and fix some vulnerabilities

Changelog at <https://imagemagick.org/script/changelog.php>.

Vulnerabilities fixed: CVE-2020-27829, CVE-2020-29599, CVE-2021-20176, CVE-2021-20241, CVE-2021-20243, CVE-2021-20244, CVE-2021-20245, CVE-2021-20246.

Note: ImageMagick6 might be also affected by some of these CVE.
Comment 1 commit-hook freebsd_committer 2021-05-13 14:44:09 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0e7c332de8bbd7100f615c8b07569925f6a2e42c

commit 0e7c332de8bbd7100f615c8b07569925f6a2e42c
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-05-13 14:17:39 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-05-13 14:43:16 +0000

    security/vuxml: declare vulnerabilities for ImageMagick7

    PR:             255802

 security/vuxml/vuln.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)
Comment 2 VVD 2021-05-13 19:30:52 UTC
Plz, remove "USES+= compiler:openmp" at least for amd64 and i386.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252379
Comment 3 Thierry Thomas freebsd_committer 2021-05-13 19:52:28 UTC
(In reply to VVD from comment #2)

Do not hesitate to replace the proposed patch!
Comment 4 george 2021-05-23 17:36:51 UTC
This patch works fine for me on FreeBSD 12.2-RELEASE-p6 r369558 on amd64, but is the new dependency on ffmpeg really needed?  Could that be made an option?
Comment 5 Thierry Thomas freebsd_committer 2021-05-24 09:39:50 UTC
(In reply to george from comment #4)

The proposed patch has been well tested, and I suggest that we commit it as quick as possible, to fix the vulnerabilities.

After that, it will be possible to reorganize the options; Koop, what do you think?
Comment 6 commit-hook freebsd_committer 2021-05-27 20:56:04 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b9e10f61aefb128744fcd0556b93b3e45bb2df1f

commit b9e10f61aefb128744fcd0556b93b3e45bb2df1f
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2021-05-11 21:00:13 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2021-05-27 20:54:09 +0000

    graphics/ImageMagick7: upgrade to 7.0.11-12 and fix some vulnerabilities

    Changelog at <https://imagemagick.org/script/changelog.php>.

    PR:             255802
    Approved by:    maintainerâs time-out
    Security:       CVE-2020-27829
    Security:       CVE-2020-29599
    Security:       CVE-2021-20176
    Security:       CVE-2021-20241
    Security:       CVE-2021-20243
    Security:       CVE-2021-20244
    Security:       CVE-2021-20245
    Security:       CVE-2021-20246

 graphics/ImageMagick7/Makefile  |   7 +-
 graphics/ImageMagick7/distinfo  |   6 +-
 graphics/ImageMagick7/pkg-plist | 793 +++-------------------------------------
 3 files changed, 54 insertions(+), 752 deletions(-)
Comment 7 Thierry Thomas freebsd_committer 2021-05-27 20:57:14 UTC
Just committed.
Comment 8 Peter Putzer 2021-05-27 21:51:00 UTC
Why is there a new dependency on ffmpeg for a graphics library? It can't even be disabled with a config option.
Comment 9 Thierry Thomas freebsd_committer 2021-05-28 08:22:48 UTC
(In reply to Peter Putzer from comment #8)
You are right: see PR 256215.