[pkg-horde] Bug#876400: php-horde-image: CVE-2017-14650: remote code execution n _raw() via $index parameter

Salvatore Bonaccorso carnil at debian.org
Thu Sep 21 18:53:10 UTC 2017

Source: php-horde-image
Version: 2.0.1-1
Severity: grave
Tags: patch upstream security


the following vulnerability was published for php-horde-image.

| A Remote Code Execution vulnerability has been found in the Horde_Image
| library when using the "Im" backend that utilizes ImageMagick's
| "convert" utility. It's not exploitable through any Horde application,
| because the code path to the vulnerability is not used by any Horde
| code. Custom applications using the Horde_Image library might be
| affected. This vulnerability affects all versions of Horde_Image from
| 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input
| validation of the index field in _raw() during construction of an
| ImageMagick command line.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14650
[1] https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b


More information about the pkg-horde-hackers mailing list