Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
Control: tags -1 + pending On 2016-02-02 22:59, Vincent Fourmond wrote: Dear Adam, On Sun, Jan 31, 2016 at 7:19 PM, Adam D. Barratt wrote: [...] Some of the new patches also appear to include unrelated changes; for instance: +Subject: [PATCH] Fix PixelColor off by one on i386 [...] +- "XmlMissingElement", ", slot "%s"", slot); ++ "XmlMissingElement",", slot "%s"",slot); These are cosmetic fixes that come from the upstream patches also fixing the security issues, we didn't feel like editing upstream commits. I guessed that was the case. I still wish that people wouldn't do it. :-( Assuming that the resulting package has been tested on Jessie, please go ahead. Yep, I've just checked it works fine, I'm uploading right away. Flagged for acceptance. Regards, Adam
Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
Dear Adam, On Sun, Jan 31, 2016 at 7:19 PM, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > > Essentially, the upload I'm proposing (debdiff to stable attached) > > makes stable and unstable identical, since there were only security > > fixes involved (the bulk of the work is happening in experimental, but > > there are transitions involved, so it's not very fast...). Is that OK > > for an upload to jpu ? > > The no-op changes to the patches you haven't changed (i.e. the first 56) > are rather noisy. > I'm sorry, this is one of the current shortcomings of gitpkg, which we find quite comfortable otherwise to deal with such a complex package. > Some of the new patches also appear to include unrelated changes; for > instance: > > +Subject: [PATCH] Fix PixelColor off by one on i386 > [...] > +-"XmlMissingElement", ", slot \"%s\"", slot); > ++"XmlMissingElement",", slot \"%s\"",slot); > These are cosmetic fixes that come from the upstream patches also fixing the security issues, we didn't feel like editing upstream commits. > Assuming that the resulting package has been tested on Jessie, please go > ahead. > Yep, I've just checked it works fine, I'm uploading right away. Thanks ! Vincent
Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
Control: tags -1 + confirmed On Mon, 2016-01-18 at 21:39 +0100, Vincent Fourmond wrote: > > > On Thu, Jan 14, 2016 at 10:49 PM, Vincent Fourmond > wrote: > On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt > wrote: > Control: tags -1 + moreinfo > > On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond > wrote: > > The imagemagick maintainers (mostly Bastien) have > prepared a new > > version of imagemagick for stable that fixes a > series of minor > > security issues that the security team did not deem > worthy of an > > upload to stable-security. Can we upload the > following package ? Here > > is the changelog: > > While I've not checked each fix individually (mostly > due to the lack of > Debian bugs referenced), at least these changes: > > > - Fix an integer overflow that can lead to a > buffer overrun > > in the icon parsing code (LP: #1459747, > closes: #806441) > > - Fix an integer overflow that can lead to a > double free in > > pict parsing (LP: #1448803, closes: #806441). > > claim not to be fixed in unstable according to the BTS > metadata, which > is a pre-requisite for fixing them in stable. Please > could you clarify > the status of those and the other fixes. > > > You are unfortunately correct. We have uploaded a fix to > experimental, but it may not make its way before a while to > unstable, so probably the wisest course is to backport the > changes to unstable, and then, I'll get back to you. > > > I have uploaded a -7 version to unstable that fixes the security > problems mentioned above (some of those had been fixed before). I also > have updated the changelog to make the changes more easy to track. > Essentially, the upload I'm proposing (debdiff to stable attached) > makes stable and unstable identical, since there were only security > fixes involved (the bulk of the work is happening in experimental, but > there are transitions involved, so it's not very fast...). Is that OK > for an upload to jpu ? The no-op changes to the patches you haven't changed (i.e. the first 56) are rather noisy. Some of the new patches also appear to include unrelated changes; for instance: +Subject: [PATCH] Fix PixelColor off by one on i386 [...] +-"XmlMissingElement", ", slot \"%s\"", slot); ++"XmlMissingElement",", slot \"%s\"",slot); Assuming that the resulting package has been tested on Jessie, please go ahead. Regards, Adam
Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
Hello, On Mon, Jan 18, 2016 at 9:39 PM, Vincent Fourmond wrote: > On Thu, Jan 14, 2016 at 10:49 PM, Vincent Fourmond > wrote: > >> On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt < >> a...@adam-barratt.org.uk> wrote: >> >>> Control: tags -1 + moreinfo >>> >>> On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond wrote: >>> > The imagemagick maintainers (mostly Bastien) have prepared a new >>> > version of imagemagick for stable that fixes a series of minor >>> > security issues that the security team did not deem worthy of an >>> > upload to stable-security. Can we upload the following package ? Here >>> > is the changelog: >>> >>> While I've not checked each fix individually (mostly due to the lack of >>> Debian bugs referenced), at least these changes: >>> >>> > - Fix an integer overflow that can lead to a buffer overrun >>> > in the icon parsing code (LP: #1459747, closes: #806441) >>> > - Fix an integer overflow that can lead to a double free in >>> > pict parsing (LP: #1448803, closes: #806441). >>> >>> claim not to be fixed in unstable according to the BTS metadata, which >>> is a pre-requisite for fixing them in stable. Please could you clarify >>> the status of those and the other fixes. >>> >> >> You are unfortunately correct. We have uploaded a fix to experimental, >> but it may not make its way before a while to unstable, so probably the >> wisest course is to backport the changes to unstable, and then, I'll get >> back to you. >> > > I have uploaded a -7 version to unstable that fixes the security > problems mentioned above (some of those had been fixed before). I also have > updated the changelog to make the changes more easy to track. Essentially, > the upload I'm proposing (debdiff to stable attached) makes stable and > unstable identical, since there were only security fixes involved (the bulk > of the work is happening in experimental, but there are transitions > involved, so it's not very fast...). Is that OK for an upload to jpu ? > Can I upload to jpu, then ? Or should the fix move to testing first ? Cheers, Vincent
Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
On Thu, 2016-01-14 at 22:49 +0100, Vincent Fourmond wrote: > While I've not checked each fix individually (mostly due to > the lack of > Debian bugs referenced), at least these changes: [...] > Regarding your other comment, not all the security problems correspond > to a bug report. I guess I'll just have to file a "global" one for a > series of problems... There doesn't necessarily need to be a bug in the BTS for each change. The reason I mentioned it is that having them does make it easier to track the status of a particular issue being addressed in any given suite - checking BTS metadata is generally quicker and easier than unpacking the source packages and trying to locate the relevant fixes. (That's also why I mentioned the particular changes that I did, as my initial cursory review involved pulling the Closes: out of your mail and looking at the metadata.) Regards, Adam
Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond wrote: > > The imagemagick maintainers (mostly Bastien) have prepared a new > > version of imagemagick for stable that fixes a series of minor > > security issues that the security team did not deem worthy of an > > upload to stable-security. Can we upload the following package ? Here > > is the changelog: > > While I've not checked each fix individually (mostly due to the lack of > Debian bugs referenced), at least these changes: > > > - Fix an integer overflow that can lead to a buffer overrun > > in the icon parsing code (LP: #1459747, closes: #806441) > > - Fix an integer overflow that can lead to a double free in > > pict parsing (LP: #1448803, closes: #806441). > > claim not to be fixed in unstable according to the BTS metadata, which > is a pre-requisite for fixing them in stable. Please could you clarify > the status of those and the other fixes. > You are unfortunately correct. We have uploaded a fix to experimental, but it may not make its way before a while to unstable, so probably the wisest course is to backport the changes to unstable, and then, I'll get back to you. Regarding your other comment, not all the security problems correspond to a bug report. I guess I'll just have to file a "global" one for a series of problems... Regards, Vincent
Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
Control: tags -1 + moreinfo On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond wrote: > The imagemagick maintainers (mostly Bastien) have prepared a new > version of imagemagick for stable that fixes a series of minor > security issues that the security team did not deem worthy of an > upload to stable-security. Can we upload the following package ? Here > is the changelog: While I've not checked each fix individually (mostly due to the lack of Debian bugs referenced), at least these changes: > - Fix an integer overflow that can lead to a buffer overrun > in the icon parsing code (LP: #1459747, closes: #806441) > - Fix an integer overflow that can lead to a double free in > pict parsing (LP: #1448803, closes: #806441). claim not to be fixed in unstable according to the BTS metadata, which is a pre-requisite for fixing them in stable. Please could you clarify the status of those and the other fixes. Regards, Adam
Bug#811024: jessie-pu: package imagemagick/8:6.8.9.9-5
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Dear Release Team, The imagemagick maintainers (mostly Bastien) have prepared a new version of imagemagick for stable that fixes a series of minor security issues that the security team did not deem worthy of an upload to stable-security. Can we upload the following package ? Here is the changelog: imagemagick (8:6.8.9.9-5+deb8u1) stable; urgency=medium * Fix build on mips by printing progress (Closes: #770009). * Fix a few security bugs: - A DOS on specially crafted MIFF file. - A DOS on specially crafted Vicar file. - A DOS on specially crafted HDR file. - A DOs on specially crafted PDB file. - Fix a Null dereference in coders/png.c (LP: #1492881). - Fix a double free in coders/tga.c (LP: #1490362). - Avoid a DOS for RLE file. - Avoid a bufer overflow by using field limit in sprintf. - Avoid a stack overflow in fx handling. - Fixed size of memory allocation in RLE coder to avoid segfault (LP: #1496649). - Add extra checks to avoid out of bounds error when parsing the 8bim profile. (LP: #1496645). - Fixed memory leak when reading incorrect PSD files - Fix PixelColor off by one on i386. - Fix out of bounds error in -splice operator. - Prevent null pointer access in magick/constitute.c - Fix another memory leak in string handling. - Fix an integer overflow that can lead to a buffer overrun in the icon parsing code (LP: #1459747, closes: #806441) - Fix an integer overflow that can lead to a double free in pict parsing (LP: #1448803, closes: #806441). -- Bastien Roucariès Sat, 09 Jan 2016 23:05:59 +0100 I've also attached the debdiff. Most patches are trivial fixes. Cheers, Vincent -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru imagemagick-6.8.9.9/debian/changelog imagemagick-6.8.9.9/debian/changelog --- imagemagick-6.8.9.9/debian/changelog 2014-12-29 11:53:11.0 +0100 +++ imagemagick-6.8.9.9/debian/changelog 2016-01-14 22:29:20.0 +0100 @@ -1,3 +1,32 @@ +imagemagick (8:6.8.9.9-5+deb8u1) stable; urgency=medium + + * Fix build on mips by printing progress (Closes: #770009). + * Fix a few security bugs: +- A DOS on specially crafted MIFF file. +- A DOS on specially crafted Vicar file. +- A DOS on specially crafted HDR file. +- A DOs on specially crafted PDB file. +- Fix a Null dereference in coders/png.c (LP: #1492881). +- Fix a double free in coders/tga.c (LP: #1490362). +- Avoid a DOS for RLE file. +- Avoid a bufer overflow by using field limit in sprintf. +- Avoid a stack overflow in fx handling. +- Fixed size of memory allocation in RLE coder + to avoid segfault (LP: #1496649). +- Add extra checks to avoid out of bounds error + when parsing the 8bim profile. (LP: #1496645). +- Fixed memory leak when reading incorrect PSD files +- Fix PixelColor off by one on i386. +- Fix out of bounds error in -splice operator. +- Prevent null pointer access in magick/constitute.c +- Fix another memory leak in string handling. +- Fix an integer overflow that can lead to a buffer overrun + in the icon parsing code (LP: #1459747, closes: #806441) +- Fix an integer overflow that can lead to a double free in + pict parsing (LP: #1448803, closes: #806441). + + -- Bastien Roucariès Sat, 09 Jan 2016 23:05:59 +0100 + imagemagick (8:6.8.9.9-5) unstable; urgency=high * Fix incorrect fix for xpm security problem. diff -Nru imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch --- imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch 2014-12-29 11:55:33.0 +0100 +++ imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch 2016-01-14 22:29:34.0 +0100 @@ -81,6 +81,3 @@ # If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to # enable generation of interactive SVG images that allow zooming and panning. --- -2.1.4 - diff -Nru imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch --- imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch 2014-12-29 11:55:33.0 +0100 +++ imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch 2016-01-14 22:29:34.0 +0100