Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10
> Looks like I found the issue: > > 0224-Ensure-token-does-not-overflow.patch corresponds to [0]. This patch > was meant for ImageMagick 7.x, not 6.x. The correct patch is [1] (the one > used in stretch). > > This will be fixed in the next security update. Not completely true. After spending some more time on this issue, I found out that the following three patches are missing in jessie: https://github.com/ImageMagick/ImageMagick6/commit/fc8ccba0f20ca330d959fcbb17a791e5b52ac53e https://github.com/ImageMagick/ImageMagick6/commit/7573b8712697a3d34143eb3e6ea814287cc4c6a7 https://github.com/ImageMagick/ImageMagick6/commit/4cc316818e5b841ff5a9394a0730d5be6e8686ce backporting them is sufficient to fix the issue. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10
> I'm working on imagemagick on behalf of the Debian LTS team and just > noticed this bug report. > > I have reproduced this issue in jessie, and can confirm that this > regression is still present in 8:6.8.9.9-5+deb8u18. I can also confirm > that the regression was introduced between patch 0224 and 0227. > > I'll try to ship a patch for this along with the next jessie update. Looks like I found the issue: 0224-Ensure-token-does-not-overflow.patch corresponds to [0]. This patch was meant for ImageMagick 7.x, not 6.x. The correct patch is [1] (the one used in stretch). This will be fixed in the next security update. cheers, Hugo [0] https://github.com/ImageMagick/ImageMagick/commit/4b85d29608d5bc0ab641f49e80b6cf8965928fb4 [1] https://github.com/ImageMagick/ImageMagick6/commit/663e70e90257797f4634ea8dd4a31e0947d1f266 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10
Hi, I'm working on imagemagick on behalf of the Debian LTS team and just noticed this bug report. I have reproduced this issue in jessie, and can confirm that this regression is still present in 8:6.8.9.9-5+deb8u18. I can also confirm that the regression was introduced between patch 0224 and 0227. I'll try to ship a patch for this along with the next jessie update. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10
Package: imagemagick Version: 8:6.8.9.9-5+deb8u10 Severity: normal Ubuntu imagemagick security updates are based on Debian security updates. The latest round of jessie updates introduced a regression. Please see the downstream bug report for a reproducer script: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1707015 I've tracked this down to the 0224-Ensure-token-does-not-overflow.patch patch, but I haven't come up with a fix yet.