[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: imagemagick

On Feb/11, Brian May wrote:
> 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
> 0070-Fix-PixelColor-off-by-one-on-i386.patch
> 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
> 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
> 0073-Fixed-memory-leaks.patch
> I have been advised each of these issues should have its own CVE.
> I have also been advised that the memory leaks aren't worth bothering
> with, so that leaves 0070, 0071, and 0072 that we would need to deal
> with.
> Out of this, only the 0071 patch applies cleanly to the version in
> squeeze.
> I also note that a number of security issues concerning imagemagick
> have been marked no-DSA for wheezy and jessie.
> What would you advise for these issues?

Having a CVE associated to each security issue is definitely a plus, at
the very least for those issues serious enough to be fixed via a

> Also I note that a number of security issues fixed in squeeze-lts
> don't have assigned CVEs - is this something that needs rectifying?

It's always a plus, yes.

So, to summarize:

  - imagemagick in squeeze appears to only be vulnerable

  - issues fixed via a DLA, but lacking a CVE, are:
    + TEMP-0806441-CB092C[1]
    + TEMP-0806441-76CD60[2]
    + TEMP-0773834-5EB6CF[3]

I personally would only request CVEs for those 4 issues, even though in
the end it's your choice to also ask for those tagged no-dsa.



[0] https://security-tracker.debian.org/tracker/TEMP-0811308-B63DA1
[1] https://security-tracker.debian.org/tracker/TEMP-0806441-CB092C
[2] https://security-tracker.debian.org/tracker/TEMP-0806441-76CD60
[3] https://security-tracker.debian.org/tracker/TEMP-0773834-5EB6CF

Reply to: