Re: imagemagick
Raphael Hertzog <hertzog@debian.org> writes:
>> For the memory leaks and null pointer issues: Do we take the pessimestic
>> point of view and assume that they are security issues that need fixing,
>> or should we be conservative?
>
> Depending on how it's used, both issues can lead to denial of
> service...
There are number of DOS attacks against imagemagick that have been
labeled no-DSA already.
https://security-tracker.debian.org/tracker/source-package/imagemagick
Is there is something different that makes these potential DOS attack
worthy of a DSA/DLA?
I suspect DSA haven't looked at the latest issue yet, so we can't use
their recommendatations just yet. I wouldn't be surprised if they mark
it as no-DSA. Although it could be an exception like TEMP-0773834-5EB6CF
which did get fixed for Jessie (but not yet Wheezy).
> The latest upstream release is in experimental, not in unstable. That
> mighgt explain why you are not seeing patches disappear in sid... if you
> want to make a judgment call about the supportability of imagemagick then
> you would rather have to invest more time into analyzing the
> situation.
http://sources.debian.net/patches/summary/imagemagick/8:6.9.2.10+dfsg-1/
Only 19 patches in the experimental version. Which isn't great, but a
lot better then anything before experimental.
Of course, I assumed here that the patches were dropped because they
aren't needed any more. Which I suspect might be a reasonable
assumption, as it looks like the patches are tracked in git. For the
purposes of fixing this in squeeze it doesn't actually have any impact
anyway.
--
Brian May <bam@debian.org>
Reply to: