Re: CVE-2016-3714 in ImageMagick

To: Salvatore Bonaccorso <carnil@debian.org>, William Dauchy <wdauchy@gmail.com>
Cc: debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: CVE-2016-3714 in ImageMagick
From: Brian May <bam@debian.org>
Date: Fri, 06 May 2016 08:09:39 +1000
Message-id: <[🔎] 87zis4w40s.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 20160505092403.GA19574@eldamar.local>
References: <CAJ75kXYz_q_Je2N4-=CVTxZu+vDgDKJc8OnGCrNJYq=A3eQjvw@mail.gmail.com> <CAJ75kXZ1UgZb96a-YcBGW25O9MDbMo=NsMou01PPG058pV7JeQ@mail.gmail.com> <[🔎] 877ff9t00p.fsf@prune.linuxpenguins.xyz> <[🔎] CAJ75kXb2Cvkr9Cura90jt6_2ATNJVSCGuQi=ngJhheqTvhuRLw@mail.gmail.com> <[🔎] 20160505092403.GA19574@eldamar.local>

Salvatore Bonaccorso <carnil@debian.org> writes:

> See the discussion about this on
> http://www.openwall.com/lists/oss-security/2016/05/03/19 though.

Thanks for this. I did see it at the time, however didn't get a chance
yet to read it properly.

Also see the comment at the bottom of
https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181

It does seem like that these 2 patches combined don't fix CVE-2016-3714
and I can't see anything that attempts to fix CVE-2016-3715 -
CVE-2016-3718 either.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: CVE-2016-3714 in ImageMagick
  - From: Brian May <bam@debian.org>
- Re: CVE-2016-3714 in ImageMagick
  - From: William Dauchy <wdauchy@gmail.com>
- Re: CVE-2016-3714 in ImageMagick
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: CVE-2016-3714 in ImageMagick
Next by Date: Re: libidn test packages [resent]
Previous by thread: Re: CVE-2016-3714 in ImageMagick
Next by thread: Re: libidn test packages [resent]
Index(es):
- Date
- Thread