{ "schema_version": "1.7.0", "id": "MGASA-2019-0194", "published": "2019-06-21T01:07:01Z", "modified": "2019-06-20T23:59:50Z", "summary": "Updated graphicsmagick packages fix security vulnerabilities", "details": "GraphicsMagick 1.3.32 is now released, fixing another 52 additional \nissues detected by oss-fuzz.\n\nOf special mention is a bug reported to us by \"Battle Furry\" via our \nsecurity mail alias. This bug (was considered to be a \"feature\") \nallows including file text as rendered text on a graphic image, or as \ntext hidden in metadata, by using a file refered to with '@...ename' \nsyntax where text to be rendered normally appears. This issue was \ninherited from ImageMagick 5.5.2 and it even appears in ImageMagick \n4.2.9.\n\nIt has been determined that the SVG and WMF formats may be used to \nsupply this '@...ename' syntax, resulting in rendered text on a \ngraphic image, or as text hidden in metadata (e.g. the image comment). \nFurthermore, it may be that other applications and web sites accept \ntext to be rendered on behalf of users and that this issue could allow \nuntrusted users to receive content considered to be secure and private \n(e.g. private keys or passwords).\n", "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2019-0194.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=24966" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2019/06/15/9" } ], "affected": [ { "package": { "ecosystem": "Mageia:6", "name": "graphicsmagick", "purl": "pkg:rpm/mageia/graphicsmagick?arch=source&distro=mageia-6" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.3.32-1.mga6" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }