Hello, I decided (perhaps because I don't know any better) to take over ImageMagick after Ben released his lock on it. I have some questions about how to handle this issue: https://security-tracker.debian.org/tracker/TEMP-0836171-53B142 https://bugs.debian.org/836171 The diff that addresses this issue is here: https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1 It is rather short, so I include here as well: if ((image_info->interlace == PlaneInterlace) || (image_info->interlace == PartitionInterlace)) (void) TIFFSetField(tiff,TIFFTAG_PLANARCONFIG,PLANARCONFIG_SEPARATE); - rows_per_strip=TIFFDefaultStripSize(tiff,0); + rows_per_strip=1; + if (TIFFScanlineSize(tiff) != 0) + rows_per_strip=TIFFDefaultStripSize(tiff,0); option=GetImageOption(image_info,"tiff:rows-per-strip"); if (option != (const char *) NULL) rows_per_strip=(size_t) strtol(option,(char **) NULL,10); In the wheezy version of ImageMagick, the corresponding section of tiff.c looks like this: if ((image_info->interlace == PlaneInterlace) || (image_info->interlace == PartitionInterlace)) (void) TIFFSetField(tiff,TIFFTAG_PLANARCONFIG,PLANARCONFIG_SEPARATE); rows_per_strip=1; if (TIFFScanlineSize(tiff) != 0) rows_per_strip=(uint32) MagickMax((size_t) TIFFDefaultStripSize(tiff,0), 1); option=GetImageArtifact(image,"tiff:rows-per-strip"); if (option != (const char *) NULL) rows_per_strip=(size_t) strtol(option,(char **) NULL,10); Naturally, the patch fails to apply. To me it appears that wheezy is unaffected by this issue. Perhaps because the code was changed sometime after 6.7.7.10 to something less secure and then changed back. My instinct is that I do not need to change this section. That being the case, I believe that the correct action would be to add the following in data/CVE/list, under "CVE-2016-XXXX [TIFF divide by zero]" near line 5702: [wheezy] - imagemagick <not-affected> (Vulnerable code introduced after 6.7.7.10) The feedback I am seeking here is: 1. Is my interperation of the applicability of the patch correct? 2. Is what I am proposing the correct way to resolve the issue so that it no longer appears as vulnerable in the security tracker? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature