[Pkg-gmagick-im-team] Bug#823542: Bug#823542: imagemagick-common: please mitigate CVE-2016-3714, remote arbitrary code execution during handling of delegates
Simon McVittie
smcv at debian.org
Mon May 9 08:45:32 UTC 2016
On Mon, 09 May 2016 at 07:17:33 +0000, Bastien Roucaries wrote:
> Could you Walt about nmu. I have more patches...
Don't worry, I don't intend to NMU imagemagick, certainly not without
getting some sort of review from its maintainers and/or the security team.
Here is what I have so far (entirely untested). Unfortunately, it fails
to build from source, because imagemagick's own build process converts
SVG to PNG for the icons. Without Inkscape installed, that goes via
MVG format, which I've just disabled... so that won't work. You might
have to build-depend on inkscape if you go this route :-(
S
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0076-policy.xml-disable-various-coders-to-mitigate-CVE-20.patch
Type: text/x-diff
Size: 1589 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0009.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0077-The-caption-option-no-longer-fails-for-filenames-wit.patch
Type: text/x-diff
Size: 2143 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0010.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0078-Indirect-filename-must-be-authorized-by-policy.patch
Type: text/x-diff
Size: 1754 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0011.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0079-Disarm-CVE-2016-3717-by-preventing-indirect-reads-wi.patch
Type: text/x-diff
Size: 772 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0012.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0080-Sanitize-input-filename-for-http-https-delegates.patch
Type: text/x-diff
Size: 4380 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0013.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0081-Second-effort-to-sanitize-input-string.patch
Type: text/x-diff
Size: 1008 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0014.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0082-Remove-GNUPlot-delegate-CVE-2016-3714.patch
Type: text/x-diff
Size: 2374 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0015.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0083-Less-secure-coders-require-explicit-reference-e.g.-m.patch
Type: text/x-diff
Size: 3077 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0016.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0084-Remove-support-for-internal-ephemeral-coder.patch
Type: text/x-diff
Size: 3215 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20160509/f36f81ed/attachment-0017.patch>
More information about the Pkg-gmagick-im-team
mailing list