[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: imagemagick

On Tue, 09 Feb 2016, Brian May wrote:
> Just been looking at this again:
> There are five patches from the unstable version which look relevant:
> 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
> 0070-Fix-PixelColor-off-by-one-on-i386.patch
> 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
> 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
> 0073-Fixed-memory-leaks.patch
> Out of these, only 0071 applies cleanly.
> The others, it looks like the code base is considerably different, and
> it is very possible that these problems may not even have been in the
> squeeze version.
> I might be able to get somewhere with 0072 if I persisted, not sure I
> would necessarily be able to trust the results.
> So I am inclined to apply the 0071 patch to the version in squeeze, and
> then mark TEMP-0811308-B63DA1 as resolved. Or should I do something else
> like create seperate entries for each issue or something?

It really depends on which of those sub-issues you consider real security
issues deserving a CVE of its own.

It's probably best to seek the second opinion of the security team, after
all someone has to handle the pending "check" to decide what is an issue
and what is not.

>From a cursory look, they are all possible security issues (thus worth
splitting and getting CVE) although I'm not sure that I would really
bother with memory leaks.

So it's probably best to split it and request CVE for each non-memory leak
issue. You can still mark no-dsa those that are not worth fixing in

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: