[Pkg-gmagick-im-team] Bug#845196: imagemagick 8:6.8.9.9-5+deb8u6 still vulnerable to Bug#845196
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 28 05:18:06 UTC 2016
Hi,
On Tue, Dec 27, 2016 at 04:32:02PM -0500, Antoine Beaupré wrote:
> On 2016-12-27 00:52:06, Salvatore Bonaccorso wrote:
> > Hi Antonie and Bastien,
> >
> > On Tue, Dec 20, 2016 at 02:58:21PM -0500, Antoine Beaupré wrote:
> >> Hi secteam,
> >>
> >> I believe the fix for bug#845196 shipped with DSA-3726-1 is incomplete,
> >> at least in stable. It does ship with this patch:
> >>
> >> https://github.com/ImageMagick/ImageMagick/commit/1be809ae06f2fcb094836960edb707f81422e964
> >>
> >> but not this one:
> >>
> >> https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
> >>
> >> so it is missing one fputc check in convert.
> >>
> >> On 2016-12-20 13:34:03, Bastien Roucaries wrote:
> >> > Please reopen and.notify sécurity team
> >>
> >> The bug report is actually still opened in stable, according to the BTS,
> >> so I don't believe a change is required there. I have removed the fixed
> >> marker from the security tracker and added a relevant note.
> >
> > So for reference, CVEs were assigned for those. Actually as well one
> > more for the "fwrite issue in ReadGROUP4Image", we should fill that as
> > separate bugreport.
> >
> > CVE assignment:
> > http://www.openwall.com/lists/oss-security/2016/12/26/9
>
> Hi!
>
> I see that some of those CVE assigments were integrated in the security
> tracker, but I haven't reviewed them all. Am I correct in assuming that
> all this is done and I don't need to review mitre's message in detail at
> this point?
Yes, I did update the security-tracker information yesterday.
Regards,
Salvatore
More information about the Pkg-gmagick-im-team
mailing list