On Thu, Jan 14, 2016 at 10:49 PM, Vincent Fourmond <fourmond@debian.org> wrote:On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:Control: tags -1 + moreinfo
On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond wrote:
> The imagemagick maintainers (mostly Bastien) have prepared a new
> version of imagemagick for stable that fixes a series of minor
> security issues that the security team did not deem worthy of an
> upload to stable-security. Can we upload the following package ? Here
> is the changelog:
While I've not checked each fix individually (mostly due to the lack of
Debian bugs referenced), at least these changes:
> - Fix an integer overflow that can lead to a buffer overrun
> in the icon parsing code (LP: #1459747, closes: #806441)
> - Fix an integer overflow that can lead to a double free in
> pict parsing (LP: #1448803, closes: #806441).
claim not to be fixed in unstable according to the BTS metadata, which
is a pre-requisite for fixing them in stable. Please could you clarify
the status of those and the other fixes.You are unfortunately correct. We have uploaded a fix to experimental, but it may not make its way before a while to unstable, so probably the wisest course is to backport the changes to unstable, and then, I'll get back to you.I have uploaded a -7 version to unstable that fixes the security problems mentioned above (some of those had been fixed before). I also have updated the changelog to make the changes more easy to track. Essentially, the upload I'm proposing (debdiff to stable attached) makes stable and unstable identical, since there were only security fixes involved (the bulk of the work is happening in experimental, but there are transitions involved, so it's not very fast...). Is that OK for an upload to jpu ?