Re: CVE-2016-3714 in ImageMagick

To: William Dauchy <wdauchy@gmail.com>
Cc: debian-lts@lists.debian.org
Subject: Re: CVE-2016-3714 in ImageMagick
From: Brian May <bam@debian.org>
Date: Thu, 05 May 2016 17:52:06 +1000
Message-id: <[🔎] 877ff9t00p.fsf@prune.linuxpenguins.xyz>
In-reply-to: <CAJ75kXZ1UgZb96a-YcBGW25O9MDbMo=NsMou01PPG058pV7JeQ@mail.gmail.com>
References: <CAJ75kXYz_q_Je2N4-=CVTxZu+vDgDKJc8OnGCrNJYq=A3eQjvw@mail.gmail.com> <CAJ75kXZ1UgZb96a-YcBGW25O9MDbMo=NsMou01PPG058pV7JeQ@mail.gmail.com>

FYI: I CCed the debian-lts list.

William Dauchy <wdauchy@gmail.com> writes:

> On Wed, May 4, 2016 at 4:17 PM, William Dauchy <wdauchy@gmail.com> wrote:
>> I was looking at your last upload:
>> https://packages.qa.debian.org/i/imagemagick/news/20160504T124217Z.html
>>
>> Could you make sure to also integrate
>> https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181
>> in order to completely fix CVE-2016-3714
>
> Sorry I forgot to mention, it goes along with
> https://github.com/ImageMagick/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccf8888cddc93
> which was marked as incomplete

Hello,

Thanks for you email.

Looks like imagemagick in wheezy is vulnerable to CVE-2016-3714 to
CVE-2016-3718.

https://security-tracker.debian.org/tracker/source-package/imagemagick

If I correctly understand you, if both of the patches you mention are
applied to imagemagick, this will completely fix CVE-2016-3714?

Thanks
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: CVE-2016-3714 in ImageMagick
  - From: William Dauchy <wdauchy@gmail.com>

Prev by Date: Wheezy update of libuser?
Next by Date: Re: CVE-2016-3714 in ImageMagick
Previous by thread: Wheezy update of libuser?
Next by thread: Re: CVE-2016-3714 in ImageMagick
Index(es):
- Date
- Thread