Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
Control: tags -1 + confirmed
On Mon, 2016-01-18 at 21:39 +0100, Vincent Fourmond wrote:
>
>
> On Thu, Jan 14, 2016 at 10:49 PM, Vincent Fourmond
> <fourmond@debian.org> wrote:
> On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt
> <adam@adam-barratt.org.uk> wrote:
> Control: tags -1 + moreinfo
>
> On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond
> wrote:
> > The imagemagick maintainers (mostly Bastien) have
> prepared a new
> > version of imagemagick for stable that fixes a
> series of minor
> > security issues that the security team did not deem
> worthy of an
> > upload to stable-security. Can we upload the
> following package ? Here
> > is the changelog:
>
> While I've not checked each fix individually (mostly
> due to the lack of
> Debian bugs referenced), at least these changes:
>
> > - Fix an integer overflow that can lead to a
> buffer overrun
> > in the icon parsing code (LP: #1459747,
> closes: #806441)
> > - Fix an integer overflow that can lead to a
> double free in
> > pict parsing (LP: #1448803, closes: #806441).
>
> claim not to be fixed in unstable according to the BTS
> metadata, which
> is a pre-requisite for fixing them in stable. Please
> could you clarify
> the status of those and the other fixes.
>
>
> You are unfortunately correct. We have uploaded a fix to
> experimental, but it may not make its way before a while to
> unstable, so probably the wisest course is to backport the
> changes to unstable, and then, I'll get back to you.
>
>
> I have uploaded a -7 version to unstable that fixes the security
> problems mentioned above (some of those had been fixed before). I also
> have updated the changelog to make the changes more easy to track.
> Essentially, the upload I'm proposing (debdiff to stable attached)
> makes stable and unstable identical, since there were only security
> fixes involved (the bulk of the work is happening in experimental, but
> there are transitions involved, so it's not very fast...). Is that OK
> for an upload to jpu ?
The no-op changes to the patches you haven't changed (i.e. the first 56)
are rather noisy.
Some of the new patches also appear to include unrelated changes; for
instance:
+Subject: [PATCH] Fix PixelColor off by one on i386
[...]
+- "XmlMissingElement", "<levels>, slot \"%s\"", slot);
++ "XmlMissingElement","<levels>, slot \"%s\"",slot);
Assuming that the resulting package has been tested on Jessie, please go
ahead.
Regards,
Adam
Reply to: