[pkg-horde] Bug#876400: php-horde-image: CVE-2017-14650: remote code execution n _raw() via $index parameter
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 21 18:53:10 UTC 2017
Source: php-horde-image
Version: 2.0.1-1
Severity: grave
Tags: patch upstream security
Hi,
the following vulnerability was published for php-horde-image.
CVE-2017-14650[0]:
| A Remote Code Execution vulnerability has been found in the Horde_Image
| library when using the "Im" backend that utilizes ImageMagick's
| "convert" utility. It's not exploitable through any Horde application,
| because the code path to the vulnerability is not used by any Horde
| code. Custom applications using the Horde_Image library might be
| affected. This vulnerability affects all versions of Horde_Image from
| 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input
| validation of the index field in _raw() during construction of an
| ImageMagick command line.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14650
[1] https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b
Regards,
Salvatore
More information about the pkg-horde-hackers
mailing list