Re: CVE-2016-3714 in ImageMagick
Salvatore Bonaccorsowrites: > See the discussion about this on > http://www.openwall.com/lists/oss-security/2016/05/03/19 though. Thanks for this. I did see it at the time, however didn't get a chance yet to read it properly. Also see the comment at the bottom of https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181 It does seem like that these 2 patches combined don't fix CVE-2016-3714 and I can't see anything that attempts to fix CVE-2016-3715 - CVE-2016-3718 either. -- Brian May
Re: CVE-2016-3714 in ImageMagick
Hi, On Thu, May 05, 2016 at 10:20:06AM +0200, William Dauchy wrote: > Hi Brian, > > Thank you for you answer. > > On Thu, May 5, 2016 at 9:52 AM, Brian Maywrote: > > Thanks for you email. > > Looks like imagemagick in wheezy is vulnerable to CVE-2016-3714 to > > CVE-2016-3718. > > https://security-tracker.debian.org/tracker/source-package/imagemagick > > If I correctly understand you, if both of the patches you mention are > > applied to imagemagick, this will completely fix CVE-2016-3714? > > Yes indeed. > https://github.com/ImageMagick/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccfcddc93 > https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181 > It should be applied to both wheezy and jessie. See the discussion about this on http://www.openwall.com/lists/oss-security/2016/05/03/19 though. Regards, Salvatore
Re: CVE-2016-3714 in ImageMagick
Hi Brian, Thank you for you answer. On Thu, May 5, 2016 at 9:52 AM, Brian Maywrote: > Thanks for you email. > Looks like imagemagick in wheezy is vulnerable to CVE-2016-3714 to > CVE-2016-3718. > https://security-tracker.debian.org/tracker/source-package/imagemagick > If I correctly understand you, if both of the patches you mention are > applied to imagemagick, this will completely fix CVE-2016-3714? Yes indeed. https://github.com/ImageMagick/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccfcddc93 https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181 It should be applied to both wheezy and jessie. -- William
Re: CVE-2016-3714 in ImageMagick
FYI: I CCed the debian-lts list. William Dauchywrites: > On Wed, May 4, 2016 at 4:17 PM, William Dauchy wrote: >> I was looking at your last upload: >> https://packages.qa.debian.org/i/imagemagick/news/20160504T124217Z.html >> >> Could you make sure to also integrate >> https://github.com/ImageMagick/ImageMagick/commit/a347456a1ef3b900c20402f9866992a17eb5d181 >> in order to completely fix CVE-2016-3714 > > Sorry I forgot to mention, it goes along with > https://github.com/ImageMagick/ImageMagick/commit/06c41aba39b97203f6b9a0be6a2ccfcddc93 > which was marked as incomplete Hello, Thanks for you email. Looks like imagemagick in wheezy is vulnerable to CVE-2016-3714 to CVE-2016-3718. https://security-tracker.debian.org/tracker/source-package/imagemagick If I correctly understand you, if both of the patches you mention are applied to imagemagick, this will completely fix CVE-2016-3714? Thanks -- Brian May