Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5

[Vincent Fourmond <fourmond@debian.org>]

On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:

Control: tags -1 + moreinfo

On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond wrote:
>   The imagemagick maintainers (mostly Bastien) have prepared a new
> version of imagemagick for stable that fixes a series of minor
> security issues that the security team did not deem worthy of an
> upload to stable-security. Can we upload the following package ? Here
> is the changelog:

While I've not checked each fix individually (mostly due to the lack of
Debian bugs referenced), at least these changes:

>     - Fix an integer overflow that can lead to a buffer overrun
>       in the icon parsing code (LP: #1459747, closes: #806441)
>     - Fix an integer overflow that can lead to a double free in
>       pict parsing (LP: #1448803, closes: #806441).

claim not to be fixed in unstable according to the BTS metadata, which
is a pre-requisite for fixing them in stable. Please could you clarify
the status of those and the other fixes.

  You are unfortunately correct. We have uploaded a fix to experimental, but it may not make its way before a while to unstable, so probably the wisest course is to backport the changes to unstable, and then, I'll get back to you. Regarding your other comment, not all the security problems correspond to a bug report. I guess I'll just have to file a "global" one for a series of problems...

  Regards,

      Vincent