Raphael Hertzog <[email protected]> writes: >> For the memory leaks and null pointer issues: Do we take the pessimestic >> point of view and assume that they are security issues that need fixing, >> or should we be conservative? > > Depending on how it's used, both issues can lead to denial of > service...
There are number of DOS attacks against imagemagick that have been labeled no-DSA already. https://security-tracker.debian.org/tracker/source-package/imagemagick Is there is something different that makes these potential DOS attack worthy of a DSA/DLA? I suspect DSA haven't looked at the latest issue yet, so we can't use their recommendatations just yet. I wouldn't be surprised if they mark it as no-DSA. Although it could be an exception like TEMP-0773834-5EB6CF which did get fixed for Jessie (but not yet Wheezy). > The latest upstream release is in experimental, not in unstable. That > mighgt explain why you are not seeing patches disappear in sid... if you > want to make a judgment call about the supportability of imagemagick then > you would rather have to invest more time into analyzing the > situation. http://sources.debian.net/patches/summary/imagemagick/8:6.9.2.10+dfsg-1/ Only 19 patches in the experimental version. Which isn't great, but a lot better then anything before experimental. Of course, I assumed here that the patches were dropped because they aren't needed any more. Which I suspect might be a reasonable assumption, as it looks like the patches are tracked in git. For the purposes of fixing this in squeeze it doesn't actually have any impact anyway. -- Brian May <[email protected]>
