[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dla-needed/imagemagick entry

Hi Markus,

> We contacted the security team directly without CCing the lts mailing
> list. However they didn't reply to us.

OK, Roberto forwarded the discussion to me.

> > I think the security team opted for targeted fixes in the imagemagick case,
> > at least for CVE-2019-9956 (claims remote code execution) and
> > CVE-2019-10650, which appear to be the most important ones.
> > 
> > I'd also like to fix CVE-2019-11598, but that would be pretty much it. The
> > rest can be ignored, IMO.
> > 
> > Backporting targeted fixes should be feasible, even if the code changed
> > quite a bit. I'm not sure upgrading to a whole upstream release is worth
> > it.
> > 
> > Any comments?
> I was about to claim imagemagick in the next days and wanted to do some
> targeted fixes. My idea was to forward port the fixes we did in Wheezy
> and to fix everything else that seems in need of fixing. I haven't
> determined the severity of all no-dsa CVE yet. We could combine our work
> like I did with Mike and libav.

Good idea. I plan to work on CVE-2019-9956, CVE-2019-10650 and possibly
CVE-2019-11598. Do you think an upload ~ next week-end would be feasible
for you?


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: