[Git][security-tracker-team/security-tracker][master] CVE-2019-11598/imagemagick: update notes concerning patch

Hugo Lefeuvre hle at debian.org
Sat May 11 12:59:50 BST 2019



Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2e3dcaa9 by Hugo Lefeuvre at 2019-05-11T11:59:32Z
CVE-2019-11598/imagemagick: update notes concerning patch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -654,6 +654,8 @@ CVE-2019-11598 (In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-r
 	[stretch] - imagemagick <postponed> (Fix along in next DSA)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77
+	NOTE: patch introduces new (potentially security relevant) bugs, see:
+	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540#issuecomment-491504100
 CVE-2019-11597 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in ...)
 	- imagemagick <unfixed> (bug #928207)
 	[stretch] - imagemagick <postponed> (Fix along in next DSA)


=====================================
data/dla-needed.txt
=====================================
@@ -45,9 +45,7 @@ imagemagick (Hugo Lefeuvre, Markus Koschany)
   NOTE: new upstream version like the security team did with Graphicsmagick in
   NOTE: Stretch. (apo)
   NOTE: 20190408: Still waiting on security team response to inquiries from (apo) and (roberto)
-  NOTE: CVE-2019-11598: patch looks broken to me. I contacted upstream and recommend to not
-  NOTE: upload this patch before a clear answer was provided:
-  NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540#issuecomment-491489236
+  NOTE: CVE-2019-11598: patch is broken. Wait for followup patches.
 --
 jruby
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e3dcaa94c6556c5c497bc8bc40ae9d5d0f40303

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e3dcaa94c6556c5c497bc8bc40ae9d5d0f40303
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190511/870769a0/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list