[announce] [SECURITY] RCE vulnerability in Horde_Image

Jan Schneider jan at horde.org
Thu Sep 21 14:08:41 UTC 2017


Hello,

a Remote Code Execution vulnerability has been found in the  
Horde_Image library when using the "Im" backend that utilizes  
ImageMagick's "convert" utility. It's not exploitable through any  
Horde application, because the code path to the vulnerability is not  
used by any Horde code. Custom applications using the Horde_Image  
library might be affected though. This vulnerability affects all  
versions of Horde_Image from 2.0.0 to 2.5.1.

A fixed version of the Horde_Image (version 2.5.2) library has already  
been released and everybody is advised to upgrade to Horde_Image 2.5.2  
as soon as possible.

Thanks to long-time contributor and supporter Thomas Jarosch  
<thomas.jarosch at intra2net.com> for discovering and reporting these  
vulnerabilities.

-- 
Jan Schneider
The Horde Project
https://www.horde.org/



More information about the announce mailing list