graphicsmagick / CVE-2016-7447

To: team@security.debian.org, debian-lts@lists.debian.org
Subject: graphicsmagick / CVE-2016-7447
From: Brian May <brian@linuxpenguins.xyz>
Date: Mon, 19 Sep 2016 18:25:31 +1000
Message-id: <[🔎] 87zin4l2is.fsf@prune.linuxpenguins.xyz>

Does suspicion of vulnerability count as requiring a security fix?

>From upstream: "EscapeParenthesis(): I was notified by Gustavo Grieco of
a heap overflow in EscapeParenthesis() used in the text annotation
code. While not being able to reproduce the issue, the implementation of
this function is completely redone. This issue was assigned
CVE-2016-7447 after the release."

The update is:

http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d580e3c3c034

While the code is a significant improvement on the old code, does this
justify a security update?

Possibly the answer is Yes, when combined with fixes for the other
security issues against graphicsmagick. Thought I should check here
however.
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Reply to:

Follow-Ups:
- Re: graphicsmagick / CVE-2016-7447
  - From: Luciano Bello <luciano@debian.org>

Prev by Date: mat bug #826101 in Wheezy (embeded images in PDFs)
Next by Date: Wheezy update of icu?
Previous by thread: Re: [Pkg-privacy-maintainers] mat bug #826101 in Wheezy (embeded images in PDFs)
Next by thread: Re: graphicsmagick / CVE-2016-7447
Index(es):
- Date
- Thread