:: Re: [DNG] VBScript Injection via GN…
Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M.MOlaf Meeuwissen at <-
M\MOlaf Meeuwissen at ->
Delete this message
Reply to this message
Author: Adam Borowski
Date:  
To: dng
Subject: Re: [DNG] VBScript Injection via GNOME Thumbnailer
On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote:
> Adam Borowski writes:
> > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote:
> >> Actually, imagemagick is one of worst offenders here. The version in Jessie
> >> is at deb8u9, and every security update tends to mention ~20 CVEs.
> >
> > ... aaaand, just hours later, here comes deb8u10:
> >
> > # Package        : imagemagick
> > # CVE ID         : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501
> > #                  CVE-2017-10928 CVE-2017-11141 CVE-2017-11170
> > #                  CVE-2017-11360 CVE-2017-11188
> > # Debian Bug     : 863126 867367 867778 867721 864273 864274 867806 868264
> > #                  868184 867810 867808 867811 867812 867896 867798 867821
> > #                  867824 867825 867826 867893 867823 867894 867897

>
> Totally untested, but you might try to replace imagemagick with
> graphicsmagick. It's at deb8u ;-)

It's a fork, so it suffers from same vulnerabilities as imagemagick. It
might get better only after someone rewrites everything from scratch (in
which case there'll be a whole new set of bugs).

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can.
⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener.
⠈⠳⣄⠀⠀⠀⠀ A master species delegates.

This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] VBScript Injection via GNOME ThumbnailerRe: [DNG] ..experimental mirror is fixed now?, was: udev replacement->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)