[Pkg-gmagick-im-team] Wheezy update of imagemagick?
Bastien ROUCARIES
roucaries.bastien at gmail.com
Sat Dec 31 10:28:29 UTC 2016
On Sat, Dec 31, 2016 at 11:07 AM, Emilio Pozuelo Monfort
<pochu27 at gmail.com> wrote:
> On 28/12/16 23:08, Roberto C. Sánchez wrote:
>> Hi Ola,
>>
>> The issues CVE-2016-8677 and CVE-2016-9559 were fixed by Antione when he
>> uploaded that latest imagemagick update to LTS. However, the
>> announcement (DLA-756-1) did not list those issues among the issues that
>> were addressed by that update. I have already mentioned it to him a
>> couple of days ago via private email.
>
> Hmm, it seems to me that the CVE-2016-8677 fix is incomplete:
>
> Upstream fix:
> https://github.com/ImageMagick/ImageMagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60
>
> Our patch:
> https://anonscm.debian.org/cgit/collab-maint/debian-lts/imagemagick.git/tree/debian/patches/0127-CVE-2016-8677.patch?h=debian/8%256.7.7.10-5%2bdeb7u10
>
> I have pushed a fix to the git repo, see:
>
> https://anonscm.debian.org/cgit/collab-maint/debian-lts/imagemagick.git/commit/?id=897f6693d7a98c93e813c0522effdbd69df4cd11
>
> Does that look correct? Unfortunately there's no test case for this issue. How
> do you normally test imagemagick?
I usually run make check with valgrind on, and I have with recent
version a poc directiry where I put poc.
Here problematic file is here:
https://github.com/ImageMagick/ImageMagick/files/472155/19.crashes.zip
you should run identify nameoffile
backporting tiff is usually a nightmare due to frequent code change on
imagemagick side
>
> Cheers,
> Emilio
More information about the Pkg-gmagick-im-team
mailing list