From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 27 09:29:41 2021 Received: (at 47418) by debbugs.gnu.org; 27 Mar 2021 13:29:41 +0000 Received: from localhost ([127.0.0.1]:43562 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ90X-0002H1-HO for submit@debbugs.gnu.org; Sat, 27 Mar 2021 09:29:41 -0400 Received: from world.peace.net ([64.112.178.59]:49084) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ90V-0002Gl-44 for 47418@debbugs.gnu.org; Sat, 27 Mar 2021 09:29:40 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lQ90N-0004yb-Kv; Sat, 27 Mar 2021 09:29:31 -0400 From: Mark H Weaver To: 47418@debbugs.gnu.org Subject: Re: bug#47418: [PATCH] gnu: imagemagick: Fix CVE-2020-27829. In-Reply-To: <20210326195342.14152-1-lle-bout@zaclys.net> References: <20210326195342.14152-1-lle-bout@zaclys.net> Date: Sat, 27 Mar 2021 09:27:54 -0400 Message-ID: <875z1czpxm.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47418 Cc: =?utf-8?Q?L=C3=A9o?= Le Bouter X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) L=C3=A9o Le Bouter via Bug reports for GNU Guix writes: > * gnu/packages/patches/imagemagick-CVE-2020-27829.patch: New patch. > * gnu/local.mk (dist_patch_DATA): Register it. > * gnu/packages/imagemagick.scm (imagemagick/fixed): Apply patch to existi= ng > graft. > --- > gnu/local.mk | 1 + > gnu/packages/imagemagick.scm | 3 ++- > .../patches/imagemagick-CVE-2020-27829.patch | 23 +++++++++++++++++++ > 3 files changed, 26 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/imagemagick-CVE-2020-27829.patch Your patch looks good to me, but I've just posted an alternative patch set to 'guix-devel' which should enable us to keep ImageMagick up-to-date without grafting, and which fixes this security flaw and more. https://lists.gnu.org/archive/html/guix-devel/2021-03/msg00538.html It's not a big deal, but if you push your patch now, I would need to rebase the patch set on top of it. Mark