[pkg-horde] Bug#876400: php-horde-image: CVE-2017-14650: remote code execution n _raw() via $index parameter
carnil at debian.org
Thu Sep 21 18:53:10 UTC 2017
Tags: patch upstream security
the following vulnerability was published for php-horde-image.
| A Remote Code Execution vulnerability has been found in the Horde_Image
| library when using the "Im" backend that utilizes ImageMagick's
| "convert" utility. It's not exploitable through any Horde application,
| because the code path to the vulnerability is not used by any Horde
| code. Custom applications using the Horde_Image library might be
| affected. This vulnerability affects all versions of Horde_Image from
| 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input
| validation of the index field in _raw() during construction of an
| ImageMagick command line.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
More information about the pkg-horde-hackers