Re: graphicsmagick update
On 16/01/17 20:48, Antoine Beaupré wrote:
> I've looked at updating the graphicsmagick (GM) update to fix the issues
> outlined in a [recent discussion]. The fix to CVE-2016-5240.patch is
> trivial. I can also confirm the current GM version in wheezy-security
> segfaults with the POC.
> I've had difficulties fixing the pending CVE-2016-9830 in wheezy,
> however. The patch depends on the fairly new heigth/width "magick
> resource limit" management, which was introduced in [January
> 2015]. The [patch] is rather intrusive and i don't think is a good
> candidate for wheezy, especially because it probably breaks ABI
> compatibility. Attached is my best shot at porting the patch for
> CVE-2016-9830, which fails to comply, but may be useful for jessie or
> So I don't see any choice but to mark that issue as no-dsa. The impact
> of the patch is more of a DOS (memory exhaustion, from what I can tell)
> than code execution, so I think it doesn't warrant major code changes.
> I have built a package for amd64 in the [usual location] and attached
> the debdiff for the debu6 update. I confirm the patch here fixes
> CVE-2016-5240 properly.
> I am not sure I should upload this directly now considering it's such a
> small fix, but given that it crashes with the bad data, maybe it's worth
I'd say it makes sense to release a regression update.
BTW I'm not sure about this change, which is not mentioned in your changelog entry:
--- graphicsmagick-1.3.16/debian/rules 2016-09-20 23:52:26.000000000 +0200
+++ graphicsmagick-1.3.16/debian/rules 2017-01-16 19:22:54.000000000 +0100
@@ -36,7 +36,7 @@
CFLAGS = -Wall -g -fno-strict-aliasing
CFLAGS += $(HARDENING_CFLAGS)
LDFLAGS += $(HARDENING_LDFLAGS)