Re: dla-needed/imagemagick entry
On Sun, May 05, 2019 at 02:34:34PM +0200, Hugo Lefeuvre wrote:
> Hi Markus and Roberto,
> I just had a look at imagemagick in jessie and did some quick triage.
> I saw the following notes in dla-needed:
> NOTE: 20190408: Still waiting on security team response to inquiries
> from (apo) and (roberto)
> Did you CC debian-lts? I can't find the e-mail you're referring to :)
I did not. In a few minutes I will bounce you the message from that
discussion (there are 5 or 6). I won't bounce them to the list, though,
as I suspect they will get flagged as spam.
> NOTE: 20181227: We should address the many open issues in imagemagick
> either by patching them separetely as we did in Wheezy or by updating
> to a new upstream version like the security team did with Graphicsmagick
> in Stretch. (apo)
> I think the security team opted for targeted fixes in the imagemagick case,
> at least for CVE-2019-9956 (claims remote code execution) and
> CVE-2019-10650, which appear to be the most important ones.
> I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> rest can be ignored, IMO.
> Backporting targeted fixes should be feasible, even if the code changed
> quite a bit. I'm not sure upgrading to a whole upstream release is worth
> Any comments?
That all makes sense. I did not do any work on backporting fixes, apart
from making an attempt to build the latest upstream from sid in jessie.
Since the backport idea did not go anywhere, you should be able to pick
up from where the current state is in jessie.
Roberto C. Sánchez