On Feb/11, Brian May wrote:
> 0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
> 0070-Fix-PixelColor-off-by-one-on-i386.patch
> 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
> 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
> 0073-Fixed-memory-leaks.patch
>
> I have been advised each of these issues should have its own CVE.
>
> I have also been advised that the memory leaks aren't worth bothering
> with, so that leaves 0070, 0071, and 0072 that we would need to deal
> with.
>
> Out of this, only the 0071 patch applies cleanly to the version in
> squeeze.
>
> I also note that a number of security issues concerning imagemagick
> have been marked no-DSA for wheezy and jessie.
>
> What would you advise for these issues?
Having a CVE associated to each security issue is definitely a plus, at
the very least for those issues serious enough to be fixed via a
DSA/DLA.
> Also I note that a number of security issues fixed in squeeze-lts
> don't have assigned CVEs - is this something that needs rectifying?
It's always a plus, yes.
So, to summarize:
- imagemagick in squeeze appears to only be vulnerable
TEMP-0811308-B63DA1[0].
- issues fixed via a DLA, but lacking a CVE, are:
+ TEMP-0806441-CB092C[1]
+ TEMP-0806441-76CD60[2]
+ TEMP-0773834-5EB6CF[3]
I personally would only request CVEs for those 4 issues, even though in
the end it's your choice to also ask for those tagged no-dsa.
Cheers,
--Seb
[0] https://security-tracker.debian.org/tracker/TEMP-0811308-B63DA1
[1] https://security-tracker.debian.org/tracker/TEMP-0806441-CB092C
[2] https://security-tracker.debian.org/tracker/TEMP-0806441-76CD60
[3] https://security-tracker.debian.org/tracker/TEMP-0773834-5EB6CF
