Page 1 of 1
libpng vulnerability found on Nov 18
Posted: 2015-11-19T14:51:57-07:00
by henry
Recently there was a vulnerability found in all libpng versions up to 1.6.18.
Is there any plan for imageMagick to use libpng 1.6.19?
Thanks
Henry
Re: libpng vulnerability found on Nov 18
Posted: 2015-11-19T14:56:51-07:00
by dlemstra
As stated here:
viewtopic.php?f=3&t=28674, ImageMagick is not vulnerable to CVE-2015-8126. We did however upgrade the libpng version that we link with on Windows.
Re: libpng vulnerability found on Nov 18
Posted: 2015-11-19T15:13:11-07:00
by henry
Thank you for the reply. I download imageMagick 6.9.2-6 source for windows and found the png version is still 1.6.17. Which version of imageMagick was upgraded to libpng 1.6.19?(Which solve the vulnerable problem).
Thanks
henry
Re: libpng vulnerability found on Nov 18
Posted: 2015-11-19T15:33:03-07:00
by dlemstra
6.9.2-6 uses 1.6.17 but is not vulnerable. ImageMagick 6.9.2-7 will be using libpng 1.6.19.
Re: libpng vulnerability found on Nov 18
Posted: 2015-11-23T11:35:25-07:00
by henry
Do you have an estimated time when the imageMagick 6.9.2-7 will be ready?
Thanks a lot
Henry
Re: libpng vulnerability found on Nov 18
Posted: 2015-11-23T12:53:22-07:00
by magick
ImageMagick 6.9.2-7 will be available 2015-11-28T14:54:58.613Z.
Re: libpng vulnerability found on Nov 18
Posted: 2015-12-14T11:18:37-07:00
by henry
I downloaded 6.9.2-8, in the configure, I didn't found anywhere libpng 1.6.19 is specified.
Does it mean imageMagick will use whatever libpng is in the system?
Re: libpng vulnerability found on Nov 18
Posted: 2015-12-14T11:28:58-07:00
by magick
That's correct. Check the news, ImageMagick is not vulnerable to the PNG exploit.