Re: ImageMagick - marking issue as not affecting wheezy?
Hi,
On Thu, 27 Oct 2016, Roberto C. Sánchez wrote:
> https://security-tracker.debian.org/tracker/TEMP-0836171-53B142
> https://bugs.debian.org/836171
>
> The diff that addresses this issue is here:
> https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1
This looks like the wrong diff. And don't forget to add the correct patch
URL to the notes in the tracker.
https://github.com/ImageMagick/ImageMagick/commit/728dc6a600cf4cbdac846964c85cc04339db8ac1
> It is rather short, so I include here as well:
>
> - rows_per_strip=TIFFDefaultStripSize(tiff,0);
> + rows_per_strip=1;
> + if (TIFFScanlineSize(tiff) != 0)
> + rows_per_strip=TIFFDefaultStripSize(tiff,0);
>
> In the wheezy version of ImageMagick, the corresponding section of
> tiff.c looks like this:
>
> rows_per_strip=1;
> if (TIFFScanlineSize(tiff) != 0)
> rows_per_strip=(uint32) MagickMax((size_t) TIFFDefaultStripSize(tiff,0),
> 1);
>
> Naturally, the patch fails to apply. To me it appears that wheezy is
> unaffected by this issue. Perhaps because the code was changed sometime
> after 6.7.7.10 to something less secure and then changed back. My
> instinct is that I do not need to change this section. That being the
s/instinct/analysis/ hopefully, we are reasoning, not guessing...
Lacking any file to reproduce the issue, I believe that your analysis
is correct.
> case, I believe that the correct action would be to add the following in
> data/CVE/list, under "CVE-2016-XXXX [TIFF divide by zero]" near line
> 5702:
>
> [wheezy] - imagemagick <not-affected> (Vulnerable code introduced after 6.7.7.10)
That's correct. The description is maybe a bit misleading since you have
no certitude. "Vulnerability likely introduced in a later version"
https://security-team.debian.org/security_tracker.html
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: