[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: imagemagick

Raphael Hertzog <hertzog@debian.org> writes:

>> For the memory leaks and null pointer issues: Do we take the pessimestic
>> point of view and assume that they are security issues that need fixing,
>> or should we be conservative?
>
> Depending on how it's used, both issues can lead to denial of
> service...

There are number of DOS attacks against imagemagick that have been
labeled no-DSA already.

https://security-tracker.debian.org/tracker/source-package/imagemagick

Is there is something different that makes these potential DOS attack
worthy of a DSA/DLA?

I suspect DSA haven't looked at the latest issue yet, so we can't use
their recommendatations just yet. I wouldn't be surprised if they mark
it as no-DSA. Although it could be an exception like TEMP-0773834-5EB6CF
which did get fixed for Jessie (but not yet Wheezy).

> The latest upstream release is in experimental, not in unstable. That
> mighgt explain why you are not seeing patches disappear in sid... if you
> want to make a judgment call about the supportability of imagemagick then
> you would rather have to invest more time into analyzing the
> situation.

http://sources.debian.net/patches/summary/imagemagick/8:6.9.2.10+dfsg-1/

Only 19 patches in the experimental version. Which isn't great, but a
lot better then anything before experimental.

Of course, I assumed here that the patches were dropped because they
aren't needed any more. Which I suspect might be a reasonable
assumption, as it looks like the patches are tracked in git. For the
purposes of fixing this in squeeze it doesn't actually have any impact
anyway.
-- 
Brian May <bam@debian.org>
Reply to: