On 2016-05-17 21:50:22, Brian May wrote: > Hello, > > I have backported the patches for imagemagick in Jessie to Wheezy. > > As attached. I think most of this is straight forward however not 100% > certain of the 0079-Indirect-filename-must-be-authorized-by-policy.patch > patch. > > In particular, it returns ConstantString("") instead of NULL - I hope > this is correct for the Wheezy version. There also appears to be a new > check that returns ConstantString("") if the input string only contains > whitespace that I included. > > I am looking to see if I can find a test case to test this against, > however I don't see anything on oss-security.
The imagetragick folks have a PoCs test suite which I ran against imagemagick before and after the policy.xml patch, which was sufficient to block those PoCs: https://github.com/ImageTragick/PoCs Maybe it could be used to test with the code vs policy patches? Not sure. A. -- Le pouvoir n'est pas à conquérir, il est à détruire - Jean-François Brient, de la servitude moderne