Used ImageMagick DLL is insecure

Bug #999496 reported by Marc Chauvin on 2012-05-15
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

The ImageMagick DLL used in Calibre (at least up to version 0.8.51) is detected as insecure by Secunia Personal Software Inspector:

The version detected of ImageMagick 6.x was 6.6.6 while the latest version including one or more security fixes is 6.7.6-5.

C:\Program Files (x86)\Calibre2\DLLs\CORE_RL_magick_.dll

Related branches

CVE References

I cannot find any references to security fixes in the imagemagick changelog
after version 6.6. See

The last security fix I see is in 6.5.2-8

What vulnerability are you refering to?

 status incomplete

Changed in calibre:
status: New → Incomplete
Mike Larkin (mrmikel) wrote :

I have posted a question in the Image Magick forum as to whether there are any security issues. I will post further when I get a response. If they say none I will let Secunia know there is no security issue.

Kovid Goyal (kovid) wrote :

In any case, I've updated the version of imagemagick in the calibre windows
build so that I dont get inundated by bug reports about it.

Fixed in branch lp:calibre. The fix will be in the next release. calibre is usually released every Friday.

 status fixreleased

Changed in calibre:
status: Incomplete → Fix Released
Mike Larkin (mrmikel) wrote :

This is what they said:

Security issues are tagged in the ChangeLog by CVE #. For example, @

2012-01-30 6.7.5-1 Cristy <quetzlzacatenango@image...>
Prevent overflow when casting short int to size_t when parsing a maliciously crafted image with an IFD whose all IOP tags' value offsets point to the beginning of the IFD itself [CVE-2012-0247].

So it seems that maybe there are more current issues...I could be wrong. It's hard for me the follow the version numbers.

Mike Larkin (mrmikel) wrote :

I have posted that you will be updating this on your usual update schedule on Friday on the Secunia Community.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers