[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-14103 / graphicsmagick



Brian May <bam@debian.org> writes:

> Test version now includes fixes for more CVEs. I did not patch
> CVE-2017-14733, because I couldn't find the code that the patch applies
> to.

Ok, understand CVE-2017-14733.

Images can declare ncolor channels==1 (greyscale only) or ==2 (makes no
sense).

Trouble is, when alpha channel present and we are processing this, we
assume we have at least 3 bytes per pixel: RGB, which just isn't going
to work.

At least that is my understanding reading the code.

Will make fix for this also.
-- 
Brian May <bam@debian.org>


Reply to: