Hi Brian, On Wed, Jun 08, 2016 at 06:02:16PM +1000, Brian May wrote: [...] > In security tracker, all of these link to the same commit: > > https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950 > Prevent buffer overflow in magick/draw.c
[...] Yes the situation for that CVE's is quite unfortunate. See MITRE's explanation on https://marc.info/?l=oss-security&m=146505990532420&w=2 : > The person who requested these CVE IDs from MITRE provided a security > advisory showing three independent problems (also with quite different > attack methodologies) that each happens to have a resultant buffer > overflow. However, they do not plan to make their security advisory > public. The CVE descriptions are based only on the surface-level > code-change information that is public in GitHub. For open-source > software, it is relatively rare for someone to compose a detailed > advisory about multiple CVEs and keep it permanently non-public, but > this can happen. One of the effects of non-public advisories is that > the number of CVEs may seem unrelated to the commit message. Regards, Salvatore
