Source: php-horde-image Version: 2.0.1-1 Severity: grave Tags: patch upstream security
Hi, the following vulnerability was published for php-horde-image. CVE-2017-14650[0]: | A Remote Code Execution vulnerability has been found in the Horde_Image | library when using the "Im" backend that utilizes ImageMagick's | "convert" utility. It's not exploitable through any Horde application, | because the code path to the vulnerability is not used by any Horde | code. Custom applications using the Horde_Image library might be | affected. This vulnerability affects all versions of Horde_Image from | 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input | validation of the index field in _raw() during construction of an | ImageMagick command line. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14650 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14650 [1] https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b Regards, Salvatore
