On Sun, Jan 6, 2019 at 12:11 AM Bob Friesenhahn <bfrie...@simple.dallas.tx.us> wrote: > On Sat, 5 Jan 2019, Salvatore Bonaccorso wrote: > > On Fri, Dec 21, 2018 at 07:56:24AM -0600, Bob Friesenhahn wrote: > >> It has been suggested to me by the Suse Linux maintainer that the fix I > >> submitted for CVE-2018-20185 may be less than adequate. However, I will be > >> away for 1-1/2 weeks and will not have time to investigate. > > > > Did you found time for further investigation of the report from the > > SuSE maintainer? Is the original fix as per > > http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/648e3977a293 not > > (completely) solving the security issue or incomplete/inadeguate in > > the sense it introduces some regresssion (e.g. functionality wise)? > > > > What was the concern of the SuSE maintainer? > > I am back from vacation but have not investigated the issue yet. > > Petr Gajdos referred me to this Suse issue: > > https://bugzilla.suse.com/show_bug.cgi?id=1119823#c1 If I understand it correctly, only builds with quantum depth = 8 are affected, right? But please ping us when you had time to further investigate this.
Thanks, Laszlo/GCS