calibre: e-book management

Used ImageMagick DLL is insecure

Reported by Marc Chauvin on 2012-05-15
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
calibre
Undecided
Unassigned

Bug Description

The ImageMagick DLL used in Calibre (at least up to version 0.8.51) is detected as insecure by Secunia Personal Software Inspector:

The version detected of ImageMagick 6.x was 6.6.6 while the latest version including one or more security fixes is 6.7.6-5.

File:
C:\Program Files (x86)\Calibre2\DLLs\CORE_RL_magick_.dll

Related branches

CVE References

I cannot find any references to security fixes in the imagemagick changelog
after version 6.6. See http://www.imagemagick.org/script/changelog.php

The last security fix I see is in 6.5.2-8

What vulnerability are you refering to?

 status incomplete

Changed in calibre:
status: New → Incomplete
Mike Larkin (mrmikel) wrote :

I have posted a question in the Image Magick forum as to whether there are any security issues. I will post further when I get a response. If they say none I will let Secunia know there is no security issue.

Kovid Goyal (kovid) wrote :

In any case, I've updated the version of imagemagick in the calibre windows
build so that I dont get inundated by bug reports about it.

Fixed in branch lp:calibre. The fix will be in the next release. calibre is usually released every Friday.

 status fixreleased

Changed in calibre:
status: Incomplete → Fix Released
Mike Larkin (mrmikel) wrote :

This is what they said:

Security issues are tagged in the ChangeLog by CVE #. For example, @ http://www.imagemagick.org/script/changelog.php:

2012-01-30 6.7.5-1 Cristy <quetzlzacatenango@image...>
Prevent overflow when casting short int to size_t when parsing a maliciously crafted image with an IFD whose all IOP tags' value offsets point to the beginning of the IFD itself [CVE-2012-0247].

So it seems that maybe there are more current issues...I could be wrong. It's hard for me the follow the version numbers.

Mike Larkin (mrmikel) wrote :

I have posted that you will be updating this on your usual update schedule on Friday on the Secunia Community.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers