Re: imagemagick

To: team@security.debian.org
Cc: debian-lts@lists.debian.org
Subject: Re: imagemagick
From: Brian May <bam@debian.org>
Date: Thu, 11 Feb 2016 11:50:56 +1100
Message-id: <[🔎] 874mdgrrwv.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 87y4aus98s.fsf@prune.linuxpenguins.xyz>
References: <87mvrs6a9l.fsf@prune.linuxpenguins.xyz> <[🔎] 87y4aus98s.fsf@prune.linuxpenguins.xyz>

Hello Security Team,

As a contributor to squeeze-lts, it was suggested that I contact the
security team for advise on how to handle the security updates for
imagemagick in squeeze-lts.

As per my email to debian LTS (below), I identified five patches from
the unstable version which look relevant:

0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
0070-Fix-PixelColor-off-by-one-on-i386.patch
0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
0073-Fixed-memory-leaks.patch

I have been advised each of these issues should have its own CVE.

I have also been advised that the memory leaks aren't worth bothering
with, so that leaves 0070, 0071, and 0072 that we would need to deal with.

Out of this, only the 0071 patch applies cleanly to the version in
squeeze.

I also note that a number of security issues concerning imagemagick have
been marked no-DSA for wheezy and jessie.

What would you advise for these issues?

Also I note that a number of security issues fixed in squeeze-lts don't
have assigned CVEs - is this something that needs rectifying?

Brian May <bam@debian.org> writes:

> Just been looking at this again:
>
> There are five patches from the unstable version which look relevant:
>
> 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
> 0070-Fix-PixelColor-off-by-one-on-i386.patch
> 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
> 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
> 0073-Fixed-memory-leaks.patch
>
> Out of these, only 0071 applies cleanly.
>
> The others, it looks like the code base is considerably different, and
> it is very possible that these problems may not even have been in the
> squeeze version.
>
> I might be able to get somewhere with 0072 if I persisted, not sure I
> would necessarily be able to trust the results.
>
> So I am inclined to apply the 0071 patch to the version in squeeze, and
> then mark TEMP-0811308-B63DA1 as resolved. Or should I do something else
> like create seperate entries for each issue or something?
> -- 
> Brian May <bam@debian.org>
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: imagemagick
  - From: Sébastien Delafond <seb@debian.org>

References:
- Re: imagemagick
  - From: Brian May <bam@debian.org>

Prev by Date: Re: squeeze update of chrony?
Next by Date: [Fwd: Preparing to announce Squeeze LTS end-of-life]
Previous by thread: Re: imagemagick
Next by thread: Re: imagemagick
Index(es):
- Date
- Thread