Luciano Bello <[email protected]> writes: > On Sunday 06 March 2016 16.34.26 Brian May wrote: >> The following patch applied to the imagemagick in Debian wheezy should >> fix the security problem already resolved in squeeze. The patches have >> been ported from the squeeze version. > > This is great! Thanks! > Just a small comment, we usually use high urgency for these kind of > issues.
Oops. Can fix this. > Do you think is also possible to include the issues from > TEMP-0811308-B63DA1? All but one of the patches fails to apply. Suspect this will be non-trivial to fix. It is possible that this means the vulnerability doesn't exist. Should I apply the 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch patch? It looks like it should be possible to massage 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch into place too, as only the first hunk fails, and it just adds a new function. [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch checking file coders/psd.c Hunk #1 FAILED at 1521. 1 out of 1 hunk FAILED [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0070-Fix-PixelColor-off-by-one-on-i386.patch checking file coders/jpeg.c Hunk #1 succeeded at 1626 (offset -42 lines). Hunk #2 succeeded at 1635 (offset -42 lines). Hunk #3 succeeded at 1657 (offset -42 lines). Hunk #4 succeeded at 1667 (offset -42 lines). Hunk #5 succeeded at 1677 (offset -42 lines). Hunk #6 succeeded at 1687 (offset -42 lines). Hunk #7 succeeded at 1697 (offset -42 lines). Hunk #8 succeeded at 1707 (offset -42 lines). Hunk #9 succeeded at 1717 (offset -42 lines). Hunk #10 succeeded at 1746 (offset -42 lines). checking file magick/cache.c Hunk #1 succeeded at 673 (offset -2747 lines). Hunk #2 FAILED at 3432. Hunk #3 FAILED at 3452. Hunk #4 FAILED at 3484. Hunk #5 FAILED at 4178. Hunk #6 FAILED at 4185. Hunk #7 FAILED at 4192. Hunk #8 FAILED at 4205. Hunk #9 succeeded at 4726 with fuzz 2 (offset 329 lines). 7 out of 9 hunks FAILED checking file magick/color.c Hunk #1 FAILED at 2731. Hunk #2 FAILED at 2755. 2 out of 2 hunks FAILED checking file magick/identify.c Hunk #1 succeeded at 220 (offset -235 lines). Hunk #2 succeeded at 235 (offset -235 lines). [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0071-Prevent-null-pointer-access-in-magick-constitute.c.patch checking file magick/constitute.c Hunk #1 succeeded at 1347 (offset 48 lines). Hunk #2 succeeded at 1367 (offset 48 lines). [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0072-Fixed-out-of-bounds-error-in-SpliceImage.patch checking file magick/transform.c Hunk #1 FAILED at 95. Hunk #2 succeeded at 1646 (offset -87 lines). Hunk #3 succeeded at 1731 (offset -87 lines). Hunk #4 succeeded at 1755 (offset -87 lines). Hunk #5 succeeded at 1766 (offset -87 lines). Hunk #6 succeeded at 1836 (offset -85 lines). Hunk #7 succeeded at 1849 (offset -85 lines). 1 out of 7 hunks FAILED [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1 --dry-run < ../imagemagick-6.8.9.9/debian/patches/0073-Fixed-memory-leaks.patch checking file magick/nt-base.c Hunk #1 FAILED at 1107. Hunk #2 FAILED at 1116. 2 out of 2 hunks FAILED checking file magick/utility.c Hunk #1 FAILED at 1817. Hunk #2 FAILED at 1828. Hunk #3 FAILED at 1877. 3 out of 3 hunks FAILED -- Brian May <[email protected]>
