Re: imagemagick CVE-2016-4562, CVE-2016-4563, CVE-2016-4564
Hi Brian,
On Wed, Jun 08, 2016 at 06:02:16PM +1000, Brian May wrote:
[...]
> In security tracker, all of these link to the same commit:
>
> https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950
> Prevent buffer overflow in magick/draw.c
[...]
Yes the situation for that CVE's is quite unfortunate. See MITRE's
explanation on https://marc.info/?l=oss-security&m=146505990532420&w=2
:
> The person who requested these CVE IDs from MITRE provided a security
> advisory showing three independent problems (also with quite different
> attack methodologies) that each happens to have a resultant buffer
> overflow. However, they do not plan to make their security advisory
> public. The CVE descriptions are based only on the surface-level
> code-change information that is public in GitHub. For open-source
> software, it is relatively rare for someone to compose a detailed
> advisory about multiple CVEs and keep it permanently non-public, but
> this can happen. One of the effects of non-public advisories is that
> the number of CVEs may seem unrelated to the commit message.
Regards,
Salvatore
Reply to: