I suppose experimental version is immune ?
On Tue, Dec 27, 2016 at 8:42 AM, Salvatore Bonaccorso <car...@debian.org> wrote:
> Source: imagemagick
> Version: 8:6.8.9.9-5
> Severity: important
> Tags: upstream security
>
> Hi,
>
> the following vulnerability was published for imagemagick. AFAICT,
> this is not yet fixed up to the version in unstable. the CVE
> assignment is at[1] and reads as:
>
>> > Check return of write function
>> > ==============================
>> >
>> > Debian bug: https://bugs.debian.org/845196
>> > Reference URL: https://security-tracker.debian.org/845196
>> > Upstream commit:
>> > -
>> > https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
>> > -
>> > https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9
>> > Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196
>> > Upstream version fixed: 7.0.1-10
>> >
>> > The above fixes may be incomplete, according to the upstream issue. In
>> > addition, the -6 branch seems to have an incomplete fix as well.
>>
>> Use CVE-2016-10060 for the issue fixed in
>> 933e96f01a8c889c7bf5ffd30020e86a02a046e7.
>> Use CVE-2016-10061 for the issue fixed in
>> 4e914bbe371433f0590cefdf3bd5f3a5710069f9.
>>
>> Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
>> specifically noted at the beginning of issues/196, but not fixed in
>> either of these commits. It is not the same as the fputc issue in
>> ReadGROUP4Image.
>
> CVE-2016-10062[0]:
> fwrite issue in ReadGROUP4Image
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-10062
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10062
> [1] http://www.openwall.com/lists/oss-security/2016/12/26/9
>
> Regards,
> Salvatore
>
