Re: imagemagick

To: Brian May <brian@linuxpenguins.xyz>, debian-lts@lists.debian.org, Luciano Bello <luciano@debian.org>
Subject: Re: imagemagick
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Wed, 18 May 2016 11:32:50 -0400
Message-id: <[🔎] 87mvnnbcv1.fsf@angela.anarcat.ath.cx>
In-reply-to: <[🔎] 87k2is3zj5.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 87k2is3zj5.fsf@prune.linuxpenguins.xyz>

On 2016-05-17 21:50:22, Brian May wrote:
> Hello,
>
> I have backported the patches for imagemagick in Jessie to Wheezy.
>
> As attached. I think most of this is straight forward however not 100%
> certain of the 0079-Indirect-filename-must-be-authorized-by-policy.patch
> patch.
>
> In particular, it returns ConstantString("") instead of NULL - I hope
> this is correct for the Wheezy version. There also appears to be a new
> check that returns ConstantString("") if the input string only contains
> whitespace that I included.
>
> I am looking to see if I can find a test case to test this against,
> however I don't see anything on oss-security.

The imagetragick folks have a PoCs test suite which I ran against
imagemagick before and after the policy.xml patch, which was sufficient
to block those PoCs:

https://github.com/ImageTragick/PoCs

Maybe it could be used to test with the code vs policy patches?

Not sure.

A.

-- 
Le pouvoir n'est pas à conquérir, il est à détruire
                        - Jean-François Brient, de la servitude moderne

Reply to:

Follow-Ups:
- Re: imagemagick
  - From: Brian May <bam@debian.org>

References:
- imagemagick
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: Re: No DLA for xen, librsvg, libidn?
Next by Date: Re: Draft for bits.debian.org regarding armel and armhf support
Previous by thread: imagemagick
Next by thread: Re: imagemagick
Index(es):
- Date
- Thread