[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5

Control: tags -1 + confirmed

On Mon, 2016-01-18 at 21:39 +0100, Vincent Fourmond wrote:
> 
> 
> On Thu, Jan 14, 2016 at 10:49 PM, Vincent Fourmond
> <fourmond@debian.org> wrote:
>         On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt
>         <adam@adam-barratt.org.uk> wrote:
>                 Control: tags -1 + moreinfo
>                 
>                 On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond
>                 wrote:
>                 >   The imagemagick maintainers (mostly Bastien) have
>                 prepared a new
>                 > version of imagemagick for stable that fixes a
>                 series of minor
>                 > security issues that the security team did not deem
>                 worthy of an
>                 > upload to stable-security. Can we upload the
>                 following package ? Here
>                 > is the changelog:
>                 
>                 While I've not checked each fix individually (mostly
>                 due to the lack of
>                 Debian bugs referenced), at least these changes:
>                 
>                 >     - Fix an integer overflow that can lead to a
>                 buffer overrun
>                 >       in the icon parsing code (LP: #1459747,
>                 closes: #806441)
>                 >     - Fix an integer overflow that can lead to a
>                 double free in
>                 >       pict parsing (LP: #1448803, closes: #806441).
>                 
>                 claim not to be fixed in unstable according to the BTS
>                 metadata, which
>                 is a pre-requisite for fixing them in stable. Please
>                 could you clarify
>                 the status of those and the other fixes.
>         
>         
>           You are unfortunately correct. We have uploaded a fix to
>         experimental, but it may not make its way before a while to
>         unstable, so probably the wisest course is to backport the
>         changes to unstable, and then, I'll get back to you.
> 
> 
>   I have uploaded a -7 version to unstable that fixes the security
> problems mentioned above (some of those had been fixed before). I also
> have updated the changelog to make the changes more easy to track.
> Essentially, the upload I'm proposing (debdiff to stable attached)
> makes stable and unstable identical, since there were only security
> fixes involved (the bulk of the work is happening in experimental, but
> there are transitions involved, so it's not very fast...). Is that OK
> for an upload to jpu ?

The no-op changes to the patches you haven't changed (i.e. the first 56)
are rather noisy.

Some of the new patches also appear to include unrelated changes; for
instance:

+Subject: [PATCH] Fix PixelColor off by one on i386
[...]
+-        "XmlMissingElement", "<levels>, slot \"%s\"", slot);
++        "XmlMissingElement","<levels>, slot \"%s\"",slot);

Assuming that the resulting package has been tested on Jessie, please go
ahead.

Regards,

Adam
Reply to: