Re: ImageMagick - marking issue as not affecting wheezy?
On Thu, 27 Oct 2016, Roberto C. Sánchez wrote:
> The diff that addresses this issue is here:
This looks like the wrong diff. And don't forget to add the correct patch
URL to the notes in the tracker.
> It is rather short, so I include here as well:
> - rows_per_strip=TIFFDefaultStripSize(tiff,0);
> + rows_per_strip=1;
> + if (TIFFScanlineSize(tiff) != 0)
> + rows_per_strip=TIFFDefaultStripSize(tiff,0);
> In the wheezy version of ImageMagick, the corresponding section of
> tiff.c looks like this:
> if (TIFFScanlineSize(tiff) != 0)
> rows_per_strip=(uint32) MagickMax((size_t) TIFFDefaultStripSize(tiff,0),
> Naturally, the patch fails to apply. To me it appears that wheezy is
> unaffected by this issue. Perhaps because the code was changed sometime
> after 188.8.131.52 to something less secure and then changed back. My
> instinct is that I do not need to change this section. That being the
s/instinct/analysis/ hopefully, we are reasoning, not guessing...
Lacking any file to reproduce the issue, I believe that your analysis
> case, I believe that the correct action would be to add the following in
> data/CVE/list, under "CVE-2016-XXXX [TIFF divide by zero]" near line
> [wheezy] - imagemagick <not-affected> (Vulnerable code introduced after 184.108.40.206)
That's correct. The description is maybe a bit misleading since you have
no certitude. "Vulnerability likely introduced in a later version"
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/