Hello Security Team, As a contributor to squeeze-lts, it was suggested that I contact the security team for advise on how to handle the security updates for imagemagick in squeeze-lts.
As per my email to debian LTS (below), I identified five patches from the unstable version which look relevant: 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch 0070-Fix-PixelColor-off-by-one-on-i386.patch 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch 0073-Fixed-memory-leaks.patch I have been advised each of these issues should have its own CVE. I have also been advised that the memory leaks aren't worth bothering with, so that leaves 0070, 0071, and 0072 that we would need to deal with. Out of this, only the 0071 patch applies cleanly to the version in squeeze. I also note that a number of security issues concerning imagemagick have been marked no-DSA for wheezy and jessie. What would you advise for these issues? Also I note that a number of security issues fixed in squeeze-lts don't have assigned CVEs - is this something that needs rectifying? Brian May <[email protected]> writes: > Just been looking at this again: > > There are five patches from the unstable version which look relevant: > > 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch > 0070-Fix-PixelColor-off-by-one-on-i386.patch > 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch > 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch > 0073-Fixed-memory-leaks.patch > > Out of these, only 0071 applies cleanly. > > The others, it looks like the code base is considerably different, and > it is very possible that these problems may not even have been in the > squeeze version. > > I might be able to get somewhere with 0072 if I persisted, not sure I > would necessarily be able to trust the results. > > So I am inclined to apply the 0071 patch to the version in squeeze, and > then mark TEMP-0811308-B63DA1 as resolved. Or should I do something else > like create seperate entries for each issue or something? > -- > Brian May <[email protected]> -- Brian May <[email protected]>
