[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: imagemagick

Luciano Bello <luciano@debian.org> writes:

> On Sunday 06 March 2016 16.34.26 Brian May wrote:
>> The following patch applied to the imagemagick in Debian wheezy should
>> fix the security problem already resolved in squeeze. The patches have
>> been ported from the squeeze version.
>
> This is great! Thanks!
> Just a small comment, we usually use high urgency for these kind of
> issues.

Oops. Can fix this.


> Do you think is also possible to include the issues from
> TEMP-0811308-B63DA1?

All but one of the patches fails to apply. Suspect this will be
non-trivial to fix. It is possible that this means the vulnerability
doesn't exist.


Should I apply the
0071-Prevent-null-pointer-access-in-magick-constitute.c.patch patch?

It looks like it should be possible to massage
0072-Fixed-out-of-bounds-error-in-SpliceImage.patch into place too, as
only the first hunk fails, and it just adds a new function.


[brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
checking file coders/psd.c
Hunk #1 FAILED at 1521.
1 out of 1 hunk FAILED
[brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0070-Fix-PixelColor-off-by-one-on-i386.patch
checking file coders/jpeg.c
Hunk #1 succeeded at 1626 (offset -42 lines).
Hunk #2 succeeded at 1635 (offset -42 lines).
Hunk #3 succeeded at 1657 (offset -42 lines).
Hunk #4 succeeded at 1667 (offset -42 lines).
Hunk #5 succeeded at 1677 (offset -42 lines).
Hunk #6 succeeded at 1687 (offset -42 lines).
Hunk #7 succeeded at 1697 (offset -42 lines).
Hunk #8 succeeded at 1707 (offset -42 lines).
Hunk #9 succeeded at 1717 (offset -42 lines).
Hunk #10 succeeded at 1746 (offset -42 lines).
checking file magick/cache.c
Hunk #1 succeeded at 673 (offset -2747 lines).
Hunk #2 FAILED at 3432.
Hunk #3 FAILED at 3452.
Hunk #4 FAILED at 3484.
Hunk #5 FAILED at 4178.
Hunk #6 FAILED at 4185.
Hunk #7 FAILED at 4192.
Hunk #8 FAILED at 4205.
Hunk #9 succeeded at 4726 with fuzz 2 (offset 329 lines).
7 out of 9 hunks FAILED
checking file magick/color.c
Hunk #1 FAILED at 2731.
Hunk #2 FAILED at 2755.
2 out of 2 hunks FAILED
checking file magick/identify.c
Hunk #1 succeeded at 220 (offset -235 lines).
Hunk #2 succeeded at 235 (offset -235 lines).
[brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
checking file magick/constitute.c
Hunk #1 succeeded at 1347 (offset 48 lines).
Hunk #2 succeeded at 1367 (offset 48 lines).
[brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
checking file magick/transform.c
Hunk #1 FAILED at 95.
Hunk #2 succeeded at 1646 (offset -87 lines).
Hunk #3 succeeded at 1731 (offset -87 lines).
Hunk #4 succeeded at 1755 (offset -87 lines).
Hunk #5 succeeded at 1766 (offset -87 lines).
Hunk #6 succeeded at 1836 (offset -85 lines).
Hunk #7 succeeded at 1849 (offset -85 lines).
1 out of 7 hunks FAILED
[brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0073-Fixed-memory-leaks.patch
checking file magick/nt-base.c
Hunk #1 FAILED at 1107.
Hunk #2 FAILED at 1116.
2 out of 2 hunks FAILED
checking file magick/utility.c
Hunk #1 FAILED at 1817.
Hunk #2 FAILED at 1828.
Hunk #3 FAILED at 1877.
3 out of 3 hunks FAILED

-- 
Brian May <bam@debian.org>
Reply to: