[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ImageMagick - marking issue as not affecting wheezy?


On Thu, 27 Oct 2016, Roberto C. Sánchez wrote:
> https://security-tracker.debian.org/tracker/TEMP-0836171-53B142
> https://bugs.debian.org/836171
> The diff that addresses this issue is here:
> https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1

This looks like the wrong diff. And don't forget to add the correct patch
URL to the notes in the tracker.


> It is rather short, so I include here as well:
> -    rows_per_strip=TIFFDefaultStripSize(tiff,0);
> +    rows_per_strip=1;
> +    if (TIFFScanlineSize(tiff) != 0)
> +      rows_per_strip=TIFFDefaultStripSize(tiff,0);
> In the wheezy version of ImageMagick, the corresponding section of
> tiff.c looks like this:
>     rows_per_strip=1;
>     if (TIFFScanlineSize(tiff) != 0)
>       rows_per_strip=(uint32) MagickMax((size_t) TIFFDefaultStripSize(tiff,0),
>         1);
> Naturally, the patch fails to apply.  To me it appears that wheezy is
> unaffected by this issue.  Perhaps because the code was changed sometime
> after to something less secure and then changed back.  My
> instinct is that I do not need to change this section.  That being the

s/instinct/analysis/ hopefully, we are reasoning, not guessing...

Lacking any file to reproduce the issue, I believe that your analysis
is correct. 

> case, I believe that the correct action would be to add the following in
> data/CVE/list, under "CVE-2016-XXXX [TIFF divide by zero]" near line
> 5702:
> [wheezy] - imagemagick <not-affected> (Vulnerable code introduced after

That's correct. The description is maybe a bit misleading since you have
no certitude. "Vulnerability likely introduced in a later version"


Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: