Incorrect version information in Windows binaries

[/usr/local/dick]

Hi guys

I just installed the latest version of the 16 bbp static x64 binaries on Windows from this location:
http://www.imagemagick.org/download/bin ... static.exe

However, the resulting binaries still list the previous version ("6.7.6", without the "-1"):

http://cajones.org/~visser/images/IM_ve ... smatch.png

This causes vulnerability scanners such as Secunia PSI to incorrectly detect the version and hence report a vulnerability, which in fact there is none.
Also, the installation directory has string "6.7.6" in it, but that might be intentional.

Thanks!!

[davidows]

I wish someone at ImageMagick would pay attention to this thread and the developers would stop publishing hot fixes and patched versions of the product without incrementing the File Version and Product Version.

Simply using the same version number, e.g. 6.7.6, but adding a "-1" in the Comment field of the file properties will continue to confuse ImageMagick users and annoy them when very worthwhile security scanners, e.g. Secunia PSI and CSI both detect and report the very same version number as the previous (AND INSECURE) version of the file.

This inconveniences even the knowledgeable user, who knows about this issue. That user becomes accustomed to seeing a false positive indication and never knows when the shelf icon might actually be reporting a NEW and VALID vulnerability in the product, without firing up the full Secunia interface and double clicking to see the details regarding ImageMagick.

The only alternative for the user is to exclude the offending file from detection, but that also risks not being notified of an actual vulnerability that's newer than the one just fixed.

[magick]

ImageMagick does not encode the minor patch level into the product version. Some vulnerability scanners rely on just the product version and produce a false positive. We consider this a bug in the vulnerability scanners. We may in the future include the minor patch level into the product version but given our to-do list of 1000+ items it may be some time. In the mean-time, all known security issues are addressed in the ImageMagick 6.7.6-4 release (scheduled release by tomorrow). For us humans, downloading http ://www.imagemagick.org/download/binaries/I ... ws-dll.exe, makes it easy to see that you are using ImageMagick version 6.7.6 patch release 4. For vulnerability scanners, they can extract the minor patch level from ImageMagick.rdf (which is designed for machine consumption).

[glennrp]

How about switching to a numbering scheme like this?

• 6.7.6-0
  6.7.6-1
  6.7.6-2
  6.7.6-3
  6.7.6-4
  6.7.605
  6.7.606
  ...
  6.7.610
  6.7.700
  ...
  7.0.000
  7.0.001
  ...

That should make the virus-scanners happy and the humans happy too.

[anthony]

NOTE what happens if we go to double digits on say the middle number?

See getting a version number for version compares
http://www.imagemagick.org/Usage/api/#scripts

Code: Select all

    IM_VERSION=`convert -list configure | \
         sed '/^LIB_VERSION_NUMBER /!d;
              s//,/;  s/,/,0/g;
              s/,0*\([0-9][0-9]\)/\1/g'`

converts a number like
6.7.5-7
to
06070507

I do not have the winodws equivelent.

[/usr/local/dick]

Just manually uninstalled 6.7.6-1 and then installed 6.7.6-9 to overcome the various CVEs that came out recently...
As alwasy, file information still says 6.7.6 and PSI lists it as being vulnerable
But, since the software was installed in "C:\Program Files\ImageMagick-6.7.6-Q16", my PSI ignore rule keeps working