On Sat, 2021-03-27 at 00:12 +0100, Maxime Devos wrote: > This patch seems about right to me. However, > > $ guix lint -c cve imagemagick > gnu/packages/imagemagick.scm:132:2: imagemagick@6.9.12-2g: probably > vulnerable to CVE-2021-20176, CVE-2021-20243, CVE-2021-20244, CVE- > 2020-25663, CVE-2020-25665, CVE-2020-25666, CVE-2020-25667, CVE-2020- > 25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27750, CVE-2020- > 27751, CVE-2020-27752, CVE-2020-27753, CVE-2020-27755, CVE-2020- > 27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020- > 27760, > CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27765, CVE- > 2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27770, CVE-2020- > 27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020- > 27775, CVE-2020-27776, CVE-2019-10131, CVE-2019-10714, CVE-2019- > 13133, > CVE-2019-13134, CVE-2019-13135, CVE-2019-13136, CVE-2019-13137, CVE- > 2019-17540, CVE-2019-17541, CVE-2019-17547, CVE-2019-18853, CVE-2019- > 7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397, CVE-2019-7398, > CVE-2018-16323, CVE-2018-16328, CVE-2018-16329, CVE-2018-16749, CVE- > 2018-16750, CVE-2018-20467, CVE-2018-6405 > > Did we forget some bugs & patches, or is "guix lint" incorrect here? > > Greetings, > Maxime
To me, ImageMagick is lagging behind since a long while and we need to upgrade to the latest version ASAP. Unfortunately we don't seem to be able to do that since it has lots of dependents and backporting each and every of these patches is just impossible, also there's way more in the commit history without security labeling like CVE. I don't want to deal with backporting things for ImageMagick to catch up with the previous security fixes that no one cared to apply in due time earlier. It's just too much.
signature.asc
Description: This is a digitally signed message part