On 28/12/16 23:08, Roberto C. Sánchez wrote: > Hi Ola, > > The issues CVE-2016-8677 and CVE-2016-9559 were fixed by Antione when he > uploaded that latest imagemagick update to LTS. However, the > announcement (DLA-756-1) did not list those issues among the issues that > were addressed by that update. I have already mentioned it to him a > couple of days ago via private email.
Hmm, it seems to me that the CVE-2016-8677 fix is incomplete: Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60 Our patch: https://anonscm.debian.org/cgit/collab-maint/debian-lts/imagemagick.git/tree/debian/patches/0127-CVE-2016-8677.patch?h=debian/8%256.7.7.10-5%2bdeb7u10 I have pushed a fix to the git repo, see: https://anonscm.debian.org/cgit/collab-maint/debian-lts/imagemagick.git/commit/?id=897f6693d7a98c93e813c0522effdbd69df4cd11 Does that look correct? Unfortunately there's no test case for this issue. How do you normally test imagemagick? Cheers, Emilio
