On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote:
Toggle quote (26 lines)> This patch seems about right to me. However,> > $ guix lint -c cve imagemagick> gnu/packages/imagemagick.scm:132:2: firstname.lastname@example.org: probably> vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE-> 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020-> 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020-> 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020-> 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-> 27760,> CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE-> 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020-> 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-> 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019-> 13133,> CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE-> 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019-> 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398,> CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE-> 2018-16750, CVE-2018-20467, CVE-2018-6405> > Did we forget some bugs & patches, or is "guix lint" incorrect here?> > Greetings,> Maxime
To me, ImageMagick is lagging behind since a long while and we need toupgrade to the latest version ASAP. Unfortunately we don't seem to beable to do that since it has lots of dependents and backporting eachand every of these patches is just impossible, also there's way more inthe commit history without security labeling like CVE. I don't want to deal with backporting things for ImageMagick to catchup with the previous security fixes that no one cared to apply in duetime earlier. It's just too much.
Your patch looks good to me, but I've just posted an alternative patchset to 'guix-devel' which should enable us to keep ImageMagickup-to-date without grafting, and which fixes this security flaw andmore. https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html It's not a big deal, but if you push your patch now, I would need torebase the patch set on top of it. Mark
On Sat, 2021-03-27 at 09:27 -0400, Mark H Weaver wrote:
Toggle quote (13 lines)> Your patch looks good to me, but I've just posted an alternative> patch> set to 'guix-devel' which should enable us to keep ImageMagick> up-to-date without grafting, and which fixes this security flaw and> more.> > https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html> > It's not a big deal, but if you push your patch now, I would need to> rebase the patch set on top of it.> > Mark
Thank you, let's get your better patch in then close this.