On 16/01/17 20:48, Antoine Beaupré wrote: > Hi, > > I've looked at updating the graphicsmagick (GM) update to fix the issues > outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is > trivial. I can also confirm the current GM version in wheezy-security > segfaults with the POC. > > I've had difficulties fixing the pending CVE-2016-9830 in wheezy, > however. The patch depends on the fairly new heigth/width "magick > resource limit" management, which was introduced in [January > 2015][2]. The [patch][2] is rather intrusive and i don't think is a good > candidate for wheezy, especially because it probably breaks ABI > compatibility. Attached is my best shot at porting the patch for > CVE-2016-9830, which fails to comply, but may be useful for jessie or > others. > > So I don't see any choice but to mark that issue as no-dsa. The impact > of the patch is more of a DOS (memory exhaustion, from what I can tell) > than code execution, so I think it doesn't warrant major code changes. > > I have built a package for amd64 in the [usual location][3] and attached > the debdiff for the debu6 update. I confirm the patch here fixes > CVE-2016-5240 properly. > > I am not sure I should upload this directly now considering it's such a > small fix, but given that it crashes with the bad data, maybe it's worth > it?
I'd say it makes sense to release a regression update. BTW I'm not sure about this change, which is not mentioned in your changelog entry: --- graphicsmagick-1.3.16/debian/rules 2016-09-20 23:52:26.000000000 +0200 +++ graphicsmagick-1.3.16/debian/rules 2017-01-16 19:22:54.000000000 +0100 @@ -36,7 +36,7 @@ CFLAGS = -Wall -g -fno-strict-aliasing LDFLAGS = -include /usr/share/hardening-includes/hardening.make +-include /usr/share/hardening-includes/hardening.make CFLAGS += $(HARDENING_CFLAGS) LDFLAGS += $(HARDENING_LDFLAGS) Cheers, Emilio
