[Pkg-gmagick-im-team] Bug#845196: imagemagick 8:6.8.9.9-5+deb8u6 still vulnerable to Bug#845196
Antoine Beaupré
anarcat at orangeseeds.org
Tue Dec 27 21:32:02 UTC 2016
On 2016-12-27 00:52:06, Salvatore Bonaccorso wrote:
> Hi Antonie and Bastien,
>
> On Tue, Dec 20, 2016 at 02:58:21PM -0500, Antoine Beaupré wrote:
>> Hi secteam,
>>
>> I believe the fix for bug#845196 shipped with DSA-3726-1 is incomplete,
>> at least in stable. It does ship with this patch:
>>
>> https://github.com/ImageMagick/ImageMagick/commit/1be809ae06f2fcb094836960edb707f81422e964
>>
>> but not this one:
>>
>> https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
>>
>> so it is missing one fputc check in convert.
>>
>> On 2016-12-20 13:34:03, Bastien Roucaries wrote:
>> > Please reopen and.notify sécurity team
>>
>> The bug report is actually still opened in stable, according to the BTS,
>> so I don't believe a change is required there. I have removed the fixed
>> marker from the security tracker and added a relevant note.
>
> So for reference, CVEs were assigned for those. Actually as well one
> more for the "fwrite issue in ReadGROUP4Image", we should fill that as
> separate bugreport.
>
> CVE assignment:
> http://www.openwall.com/lists/oss-security/2016/12/26/9
Hi!
I see that some of those CVE assigments were integrated in the security
tracker, but I haven't reviewed them all. Am I correct in assuming that
all this is done and I don't need to review mitre's message in detail at
this point?
Thanks,
A.
--
Le monochrome, c'est pour ceux qui s'intéressent (encore) au contenu.
Usenet dans ces conditions, c'est comme le web avec lynx, on prend
trop conscience du vide, c'est déprimant.
- JLC dans le Guide du linuxien pervers:
"Coup de cafard..."
More information about the Pkg-gmagick-im-team
mailing list