Re: Wheezy update of ikiwiki?

[Simon McVittie <smcv@debian.org>]

On Sat, 07 May 2016 at 23:36:36 +0200, Markus Koschany wrote:
> You are probably referring to CVE-2016-3714.

Yes, that's the remote code execution flaw. There are also various less
serious flaws discovered around the same time.

> I'm not sure but wouldn't a
> fix for ImageMagick also resolve this for ikiwiki?

It would if we had one, but at the moment we don't.

Based on the nature of the flaw leading to CVE-2016-3714 and the upstream
response to it, I'm also quite confident that this won't be the last
exploitable flaw in ImageMagick. ikiwiki is (at least partially) a wiki,
designed to survive use by untrusted editors, so it's a larger attack
surface than most webapps; the changes I made to mitigate CVE-2016-3714
should hopefully mean we avoid most future ImageMagick vulnerabilities
without further changes.

> CVE-2016-4561 would be rather easy to fix in Wheezy but if you think the
> ImageMagick mitigation is even more important, it is certainly possible
> to fix that too.

Yes, I do think that. The security team have given me permission to
upload both changes to jessie-security, so that's in the pipeline now.

I'll look into preparing a matching wheezy update tomorrow.

    S