libpng vulnerability found on Nov 18

[henry]

Recently there was a vulnerability found in all libpng versions up to 1.6.18.
Is there any plan for imageMagick to use libpng 1.6.19?

Thanks
Henry

[dlemstra]

As stated here: viewtopic.php?f=3&t=28674, ImageMagick is not vulnerable to CVE-2015-8126. We did however upgrade the libpng version that we link with on Windows.

[henry]

Thank you for the reply. I download imageMagick 6.9.2-6 source for windows and found the png version is still 1.6.17. Which version of imageMagick was upgraded to libpng 1.6.19?(Which solve the vulnerable problem).

Thanks
henry

[dlemstra]

6.9.2-6 uses 1.6.17 but is not vulnerable. ImageMagick 6.9.2-7 will be using libpng 1.6.19.

[henry]

Do you have an estimated time when the imageMagick 6.9.2-7 will be ready?

Thanks a lot
Henry

[magick]

ImageMagick 6.9.2-7 will be available 2015-11-28T14:54:58.613Z.

[henry]

I downloaded 6.9.2-8, in the configure, I didn't found anywhere libpng 1.6.19 is specified.
Does it mean imageMagick will use whatever libpng is in the system?

[magick]

That's correct. Check the news, ImageMagick is not vulnerable to the PNG exploit.