ImageMagick - marking issue as not affecting wheezy?

To: debian-lts@lists.debian.org
Subject: ImageMagick - marking issue as not affecting wheezy?
From: Roberto C. Sánchez <roberto@connexer.com>
Date: Thu, 27 Oct 2016 22:28:17 -0400
Message-id: <[🔎] 20161028022817.GB28024@miami.connexer.com>
Mail-followup-to: debian-lts@lists.debian.org

Hello,

I decided (perhaps because I don't know any better) to take over
ImageMagick after Ben released his lock on it.

I have some questions about how to handle this issue:

https://security-tracker.debian.org/tracker/TEMP-0836171-53B142
https://bugs.debian.org/836171

The diff that addresses this issue is here:

https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1

It is rather short, so I include here as well:

       if ((image_info->interlace == PlaneInterlace) ||
           (image_info->interlace == PartitionInterlace))
         (void) TIFFSetField(tiff,TIFFTAG_PLANARCONFIG,PLANARCONFIG_SEPARATE);
-    rows_per_strip=TIFFDefaultStripSize(tiff,0);
+    rows_per_strip=1;
+    if (TIFFScanlineSize(tiff) != 0)
+      rows_per_strip=TIFFDefaultStripSize(tiff,0);
     option=GetImageOption(image_info,"tiff:rows-per-strip");
     if (option != (const char *) NULL)
       rows_per_strip=(size_t) strtol(option,(char **) NULL,10);

In the wheezy version of ImageMagick, the corresponding section of
tiff.c looks like this:

      if ((image_info->interlace == PlaneInterlace) ||
          (image_info->interlace == PartitionInterlace))
        (void) TIFFSetField(tiff,TIFFTAG_PLANARCONFIG,PLANARCONFIG_SEPARATE);
    rows_per_strip=1;
    if (TIFFScanlineSize(tiff) != 0)
      rows_per_strip=(uint32) MagickMax((size_t) TIFFDefaultStripSize(tiff,0),
        1);
    option=GetImageArtifact(image,"tiff:rows-per-strip");
    if (option != (const char *) NULL)
      rows_per_strip=(size_t) strtol(option,(char **) NULL,10);

Naturally, the patch fails to apply.  To me it appears that wheezy is
unaffected by this issue.  Perhaps because the code was changed sometime
after 6.7.7.10 to something less secure and then changed back.  My
instinct is that I do not need to change this section.  That being the
case, I believe that the correct action would be to add the following in
data/CVE/list, under "CVE-2016-XXXX [TIFF divide by zero]" near line
5702:

[wheezy] - imagemagick <not-affected> (Vulnerable code introduced after 6.7.7.10)

The feedback I am seeking here is:

 1. Is my interperation of the applicability of the patch correct?
 2. Is what I am proposing the correct way to resolve the issue so that
    it no longer appears as vulnerable in the security tracker?

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: ImageMagick - marking issue as not affecting wheezy?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: ImageMagick - marking issue as not affecting wheezy?
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: ImageMagick - marking issue as not affecting wheezy?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: Bug#840691: ghostscript and evince/libspectre problem
Next by Date: Re: Bug#840691: ghostscript and evince/libspectre problem
Previous by thread: Re: MySQL 5.5.53 update for Debian wheezy?
Next by thread: Re: ImageMagick - marking issue as not affecting wheezy?
Index(es):
- Date
- Thread