On Fri, 7 Jul 2017, László Böszörményi (GCS) wrote:

Hi Bob,

On Tue, Jul 4, 2017 at 12:59 AM, László Böszörményi (GCS)
<[email protected]> wrote:
On Mon, Jul 3, 2017 at 9:12 PM, Salvatore Bonaccorso <[email protected]> wrote:
On Mon, Jul 03, 2017 at 08:56:23PM +0200, Salvatore Bonaccorso wrote:
That commit is unfortunately not enough. All related changesets to
mat.c since the above one should be taken into account. I got this
comment as reply to filling this bugreport directly from Bob
Friesenhahn (upstream).
 I've found seven commits (after releasing 1.3.25), but I think the
first may not be relevant to the security issue. That is, from 24th of
October, 2016: "Ability to read multiple images from Matlab V4
format."
http://hg.code.sf.net/p/graphicsmagick/code/rev/65694fa21e4f
This a friendly ping - you noted Salvatore Bonaccorso that the fix of
CVE-2017-10800 spans over multiple commits: does the above one (Matlab
V4 format support) add relevant safety checks for this vulnerability
or vica-versa only add more complexity?

As far as I am aware (I am not the author of this code), the addition of Matlab V4 format support is not relevant to the security issue. It may be some work to extracate a good patch since the security fixes were put in after the Matlab V4 format support was added.

As usual, we recommend updating to the new release rather than patching only the issues which were assigned CVEs.

Bob
--
Bob Friesenhahn
[email protected], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Reply via email to