On Feb/11, Brian May wrote: > 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch > 0070-Fix-PixelColor-off-by-one-on-i386.patch > 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch > 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch > 0073-Fixed-memory-leaks.patch > > I have been advised each of these issues should have its own CVE. > > I have also been advised that the memory leaks aren't worth bothering > with, so that leaves 0070, 0071, and 0072 that we would need to deal > with. > > Out of this, only the 0071 patch applies cleanly to the version in > squeeze. > > I also note that a number of security issues concerning imagemagick > have been marked no-DSA for wheezy and jessie. > > What would you advise for these issues?
Having a CVE associated to each security issue is definitely a plus, at the very least for those issues serious enough to be fixed via a DSA/DLA. > Also I note that a number of security issues fixed in squeeze-lts > don't have assigned CVEs - is this something that needs rectifying? It's always a plus, yes. So, to summarize: - imagemagick in squeeze appears to only be vulnerable TEMP-0811308-B63DA1[0]. - issues fixed via a DLA, but lacking a CVE, are: + TEMP-0806441-CB092C[1] + TEMP-0806441-76CD60[2] + TEMP-0773834-5EB6CF[3] I personally would only request CVEs for those 4 issues, even though in the end it's your choice to also ask for those tagged no-dsa. Cheers, --Seb [0] https://security-tracker.debian.org/tracker/TEMP-0811308-B63DA1 [1] https://security-tracker.debian.org/tracker/TEMP-0806441-CB092C [2] https://security-tracker.debian.org/tracker/TEMP-0806441-76CD60 [3] https://security-tracker.debian.org/tracker/TEMP-0773834-5EB6CF