On Tue, 5 Jul 2016, László Böszörményi wrote:
I don't think 1.3.24 would be an easy target for Jessie. Maybe apply the first set of patches, release it as a DSA, then add the others, a new DSA... But it's also not the best idea. I include the Security Team to this discussion, what they say about this.
There are still more security related fixes in the MVG/SVG rendering code (e.g. changeset 14860:6071b5820215). Also some of the error checking which was added is apparently too strict and causing failures with SVG files which were previously accepted. It is my intention to release a 1.3.25 which primarily fixes parsing issues introduced with 1.3.24 as well as fixes heap/stack overflow/overrun issues in the rendering code.
Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
