Re: CVE-2016-3714 in ImageMagick

2016-05-05 Thread Brian May 
Salvatore Bonaccorso  writes:

> See the discussion about this on
> http://www.openwall.com/lists/oss-security/2016/05/03/19 though.

Thanks for this. I did see it at the time, however didn't get a chance
yet to read it properly.

Also see the comment at the bottom of
https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181

It does seem like that these 2 patches combined don't fix CVE-2016-3714
and I can't see anything that attempts to fix CVE-2016-3715 -
CVE-2016-3718 either.
-- 
Brian May

Re: CVE-2016-3714 in ImageMagick

2016-05-05 Thread Salvatore Bonaccorso 
Hi,

On Thu, May 05, 2016 at 10:20:06AM +0200, William Dauchy wrote:
> Hi Brian,
> 
> Thank you for you answer.
> 
> On Thu, May 5, 2016 at 9:52 AM, Brian May  wrote:
> > Thanks for you email.
> > Looks like imagemagick in wheezy is vulnerable to CVE-2016-3714 to
> > CVE-2016-3718.
> > https://security-tracker.debian.org/tracker/source-package/imagemagick
> > If I correctly understand you, if both of the patches you mention are
> > applied to imagemagick, this will completely fix CVE-2016-3714?
> 
> Yes indeed.
> https://github.com/ImageMagick/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccfcddc93
> https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181
> It should be applied to both wheezy and jessie.

See the discussion about this on
http://www.openwall.com/lists/oss-security/2016/05/03/19 though.

Regards,
Salvatore

Re: CVE-2016-3714 in ImageMagick

2016-05-05 Thread William Dauchy 
Hi Brian,

Thank you for you answer.

On Thu, May 5, 2016 at 9:52 AM, Brian May  wrote:
> Thanks for you email.
> Looks like imagemagick in wheezy is vulnerable to CVE-2016-3714 to
> CVE-2016-3718.
> https://security-tracker.debian.org/tracker/source-package/imagemagick
> If I correctly understand you, if both of the patches you mention are
> applied to imagemagick, this will completely fix CVE-2016-3714?

Yes indeed.
https://github.com/ImageMagick/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccfcddc93
https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181
It should be applied to both wheezy and jessie.

-- 
William

Re: CVE-2016-3714 in ImageMagick

2016-05-05 Thread Brian May 
FYI: I CCed the debian-lts list.

William Dauchy  writes:

> On Wed, May 4, 2016 at 4:17 PM, William Dauchy  wrote:
>> I was looking at your last upload:
>> https://packages.qa.debian.org/i/imagemagick/news/20160504T124217Z.html
>>
>> Could you make sure to also integrate
>> https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181
>> in order to completely fix CVE-2016-3714
>
> Sorry I forgot to mention, it goes along with
> https://github.com/ImageMagick/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccfcddc93
> which was marked as incomplete

Hello,

Thanks for you email.

Looks like imagemagick in wheezy is vulnerable to CVE-2016-3714 to
CVE-2016-3718.

https://security-tracker.debian.org/tracker/source-package/imagemagick

If I correctly understand you, if both of the patches you mention are
applied to imagemagick, this will completely fix CVE-2016-3714?

Thanks
-- 
Brian May