Re: CVE-2017-14103 / graphicsmagick
Brian May <bam@debian.org> writes:
> Test version now includes fixes for more CVEs. I did not patch
> CVE-2017-14733, because I couldn't find the code that the patch applies
> to.
Ok, understand CVE-2017-14733.
Images can declare ncolor channels==1 (greyscale only) or ==2 (makes no
sense).
Trouble is, when alpha channel present and we are processing this, we
assume we have at least 3 bytes per pixel: RGB, which just isn't going
to work.
At least that is my understanding reading the code.
Will make fix for this also.
--
Brian May <bam@debian.org>
Reply to: