[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: graphicsmagick update

On 16/01/17 20:48, Antoine Beaupré wrote:
> Hi,
> I've looked at updating the graphicsmagick (GM) update to fix the issues
> outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is
> trivial. I can also confirm the current GM version in wheezy-security
> segfaults with the POC.
> I've had difficulties fixing the pending CVE-2016-9830 in wheezy,
> however. The patch depends on the fairly new heigth/width "magick
> resource limit" management, which was introduced in [January
> 2015][2]. The [patch][2] is rather intrusive and i don't think is a good
> candidate for wheezy, especially because it probably breaks ABI
> compatibility. Attached is my best shot at porting the patch for
> CVE-2016-9830, which fails to comply, but may be useful for jessie or
> others.
> So I don't see any choice but to mark that issue as no-dsa. The impact
> of the patch is more of a DOS (memory exhaustion, from what I can tell)
> than code execution, so I think it doesn't warrant major code changes.
> I have built a package for amd64 in the [usual location][3] and attached
> the debdiff for the debu6 update. I confirm the patch here fixes
> CVE-2016-5240 properly.
> I am not sure I should upload this directly now considering it's such a
> small fix, but given that it crashes with the bad data, maybe it's worth
> it?

I'd say it makes sense to release a regression update.

BTW I'm not sure about this change, which is not mentioned in your changelog entry:

--- graphicsmagick-1.3.16/debian/rules  2016-09-20 23:52:26.000000000 +0200
+++ graphicsmagick-1.3.16/debian/rules  2017-01-16 19:22:54.000000000 +0100
@@ -36,7 +36,7 @@
 CFLAGS = -Wall -g -fno-strict-aliasing

-include /usr/share/hardening-includes/hardening.make
+-include /usr/share/hardening-includes/hardening.make


Reply to: