Re: CVE-2017-14103 / graphicsmagick

To: debian-lts@lists.debian.org
Subject: Re: CVE-2017-14103 / graphicsmagick
From: Brian May <bam@debian.org>
Date: Thu, 05 Oct 2017 18:05:49 +1100
Message-id: <[🔎] 87tvzeaxbm.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 8760bvcsvk.fsf@prune.linuxpenguins.xyz>
References: <87mv60jrvg.fsf@prune.linuxpenguins.xyz> <87r2v4fo1r.fsf@prune.linuxpenguins.xyz> <[🔎] 8760bvcsvk.fsf@prune.linuxpenguins.xyz>

Brian May <bam@debian.org> writes:

> Test version now includes fixes for more CVEs. I did not patch
> CVE-2017-14733, because I couldn't find the code that the patch applies
> to.

Ok, understand CVE-2017-14733.

Images can declare ncolor channels==1 (greyscale only) or ==2 (makes no
sense).

Trouble is, when alpha channel present and we are processing this, we
assume we have at least 3 bytes per pixel: RGB, which just isn't going
to work.

At least that is my understanding reading the code.

Will make fix for this also.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: CVE-2017-14103 / graphicsmagick
  - From: Brian May <bam@debian.org>

References:
- Re: CVE-2017-14103 / graphicsmagick
  - From: Brian May <bam@debian.org>

Prev by Date: Re: CVE-2017-14103 / graphicsmagick
Next by Date: Re: Wheezy update for lame
Previous by thread: Re: CVE-2017-14103 / graphicsmagick
Next by thread: Re: CVE-2017-14103 / graphicsmagick
Index(es):
- Date
- Thread