[Git][security-tracker-team/security-tracker][master] CVE-2019-13391/imagemagick: upstream patch broken

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4803cef7 by Hugo Lefeuvre at 2019-07-25T14:36:11Z
CVE-2019-13391/imagemagick: upstream patch broken

This patch is partly reverted by the CVE-2019-13308 patch and the
remaining part does not seem to be related to the actual issue (it
seems to fix unrelated memory leaks).

This should only be applied together with the CVE-2019-13308 patch,
https://github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511e

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2835,6 +2835,8 @@ CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier
 	- imagemagick <unfixed> (bug #931633)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1588
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f6ffc702c6eecd963587273a429dcd608c648984
+	NOTE: Patch is insufficient, and most likely broken. It is partly reverted by
+	NOTE: the CVE-2019-13308 patch, which seems to be the actual patch for this issue.
 CVE-2019-13390 (In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in l ...)
 	- ffmpeg <unfixed> (low; bug #932535)
 	[buster] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.1.x branch)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4803cef7ae2236a496fab0ec13e91a62945e310d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4803cef7ae2236a496fab0ec13e91a62945e310d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190725/9828730f/attachment-0001.html>