[Pkg-gmagick-im-team] Wheezy update of imagemagick?
Emilio Pozuelo Monfort
pochu27 at gmail.com
Sat Dec 31 10:07:48 UTC 2016
On 28/12/16 23:08, Roberto C. Sánchez wrote:
> Hi Ola,
>
> The issues CVE-2016-8677 and CVE-2016-9559 were fixed by Antione when he
> uploaded that latest imagemagick update to LTS. However, the
> announcement (DLA-756-1) did not list those issues among the issues that
> were addressed by that update. I have already mentioned it to him a
> couple of days ago via private email.
Hmm, it seems to me that the CVE-2016-8677 fix is incomplete:
Upstream fix:
https://github.com/ImageMagick/ImageMagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60
Our patch:
https://anonscm.debian.org/cgit/collab-maint/debian-lts/imagemagick.git/tree/debian/patches/0127-CVE-2016-8677.patch?h=debian/8%256.7.7.10-5%2bdeb7u10
I have pushed a fix to the git repo, see:
https://anonscm.debian.org/cgit/collab-maint/debian-lts/imagemagick.git/commit/?id=897f6693d7a98c93e813c0522effdbd69df4cd11
Does that look correct? Unfortunately there's no test case for this issue. How
do you normally test imagemagick?
Cheers,
Emilio
More information about the Pkg-gmagick-im-team
mailing list