Your message dated Wed, 08 Jun 2022 18:49:04 +0000 with message-id <e1nz0jo-0006os...@fasolo.debian.org> and subject line Bug#1007225: fixed in ruby-image-processing 1.10.3-2 has caused the Debian Bug report #1007225, regarding ruby-image-processing: CVE-2022-24720 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1007225: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007225 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ruby-image-processing Version: 1.10.3-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for ruby-image-processing. CVE-2022-24720[0]: | image_processing is an image processing wrapper for libvips and | ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the | `#apply` method from image_processing to apply a series of operations | that are coming from unsanitized user input allows the attacker to | execute shell commands. This method is called internally by Active | Storage variants, so Active Storage is vulnerable as well. The | vulnerability has been fixed in version 1.12.2 of image_processing. As | a workaround, users who process based on user input should always | sanitize the user input by allowing only a constrained set of | operations. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24720 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24720 [1] https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446 [2] https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ruby-image-processing Source-Version: 1.10.3-2 Done: Utkarsh Gupta <utka...@debian.org> We believe that the bug you reported is fixed in the latest version of ruby-image-processing, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1007...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utka...@debian.org> (supplier of updated ruby-image-processing package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 08 Jun 2022 23:00:16 +0530 Source: ruby-image-processing Architecture: source Version: 1.10.3-2 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utka...@debian.org> Closes: 1007225 Changes: ruby-image-processing (1.10.3-2) unstable; urgency=medium . [ Utkarsh Gupta ] * Re-order d/p/series to match the previous order * Refresh d/patches * Add myself as the uploader instead. - Jongmin Kim has been MIA, so drop them. Thank you for your contributions, Jongmin Kim. . [ Daniel Leidert ] * Team upload. * d/control (Depends): Remove interpreter and add ${ruby:Depends}. * d/copyright: Add Upstream-Contact field. * d/rules: Add DH_RUBY to set gem installation layout. * d/upstream/metadata: Add upstream metadata. . [ Rajesh Simandalahi ] * d/p/prevent-remote-shell-execution-in-apply.patch: Add patch to pevent remote shell execution in #apply. Thanks to Janko Marohnić for providing the patch. (Closes: #1007225) (Fixes: CVE-2022-24720) Checksums-Sha1: 00f93572d102b8b302fc45d782b1246ed8b04146 2366 ruby-image-processing_1.10.3-2.dsc d3d85f42b5324c0e21707f72542b79b79d72b789 985090 ruby-image-processing_1.10.3.orig.tar.gz 21cd12852aac6934cab43a667936b904c7dec8c5 4316 ruby-image-processing_1.10.3-2.debian.tar.xz ffd558770f3535d2e3eb47e5dd778276809eb293 14058 ruby-image-processing_1.10.3-2_source.buildinfo Checksums-Sha256: 611da65e85745f004833b4ef69b8729a0ea7746cac7d3dd6b20e93410c6f1ba7 2366 ruby-image-processing_1.10.3-2.dsc af5e15751997008ed160d13c2d1375103a21539a9daf4be51a87886f3f4a8600 985090 ruby-image-processing_1.10.3.orig.tar.gz 928c2249b8fcf4a02a2a4cff3c6af01a2b1035dc5973a056212209fa3d35c7d8 4316 ruby-image-processing_1.10.3-2.debian.tar.xz e68a4792b6a74a1859dcb13f237572ceabd2982068e2717f3f7b71e14e5664d8 14058 ruby-image-processing_1.10.3-2_source.buildinfo Files: 41c99c566ea00558705b23a2cc87b5df 2366 ruby optional ruby-image-processing_1.10.3-2.dsc cbfe999374f200efea9504bb54fa2190 985090 ruby optional ruby-image-processing_1.10.3.orig.tar.gz 59f3b0cdbb81422fab01c2b6a917dc88 4316 ruby optional ruby-image-processing_1.10.3-2.debian.tar.xz 16766d228a8257ec4a9f161cabaa0500 14058 ruby optional ruby-image-processing_1.10.3-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmKg6ssTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlmM6D/9010ihRD+VKc0lBprsrth0ZPo2vSzC NvoNE+kNiXKdp0Ogn2DrITXxV/YbBQF3JcOMjzHF0E94bwyqiTlndt89l398neT/ Hs9LDSd1/22bKZRn1exR3fS2t5RbxMfd7l2hcZR+DBTC+f7clCpq/DXCry8ln6NE 6XtK9h269N8NZa3Z6WclBONKn9HjpFeJaNHAP1SrBaBZoz4p0fp/yGYxa+xj1Ye5 k/GdWtQTfAOnslAncvA3uGJVnuueuucMmr64T395T0dpecM4+PWLjFbdiCg9f/N1 k0Uu38Xgl+Tb6T8xDjmjh6oH3y6CxLm1LMGyOaRX0dERW05chdC0NU0Mo9cmP/A4 i/XxiRuRsr3wfHLTYM/wPASge3TSXrhvgWmrK1vjKzDJzf+Rl7/pTugb2tZlr0Vg gyYlwcflRzEWy1tLerCpBG72NKXRfHSvrXjKQUgJMDGd4m0hP0T7Ymzbp/FGvf7X ig71oU2GcZZso2qRcUG18g+RO+P2Tl0Ni8w3cs7+MSNmkka8ZvSBT75Ib4Bb8CL4 eQxi/v7TaU9SdAp2dC34S+y+ULoMbpb54lTcoCxPBSZ47CAQFge8JQcZLWl0D5LH CXjsbMTM+2/C5TUZDJVmUIQwtkWB/vQhF3qXB9rIBXzDvYwpZctC4cukxKwO9sgS e47ikbs7sgli7Q== =WWnA -----END PGP SIGNATURE-----
--- End Message ---
