On Sat, 07 May 2016 at 23:34:12 +0100, Simon McVittie wrote: > On Sat, 07 May 2016 at 23:36:36 +0200, Markus Koschany wrote: > > CVE-2016-4561 would be rather easy to fix in Wheezy but if you think the > > ImageMagick mitigation is even more important, it is certainly possible > > to fix that too. > > Yes, I do think that. The security team have given me permission to > upload both changes to jessie-security, so that's in the pipeline now. > > I'll look into preparing a matching wheezy update tomorrow.
Please review and/or test: <https://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/debian-wheezy-proposed> <https://people.debian.org/~smcv/ikiwiki_3.20120629.2+deb7u1/> (unsigned temporary package for testing, will be signed when ready) Note that I haven't done any real-world testing on this version, because I haven't run wheezy since around the time jessie was released, and my production ikiwiki instances use the latest upstream release from jessie-backports. t/img.t passes in autopkgtest and an SVG [[!img]] in the documentation still works, though. The ImageMagick mitigation involved some re-indentation, so the easiest version to review is probably ignore-space-change.patch, which is the result of git diff --ignore-space-change. Some notes about the debdiff to pre-empt questions that people will probably have: * Some diffs appear twice. This is because debdiff dereferences symbolic links and compares the content: NEWS and ChangeLog are symlinks to equivalents in debian/. * .gitignore and .gitattributes are in the debdiff because old git-buildpackage excluded them, and new git-buildpackage doesn't. They should have no practical effect either way, and I don't intend to waste time redoing the package to exclude them. * I backported the entire img plugin because the mitigation doesn't merge cleanly onto a 4 year old version, and in my opinion, either resolving the conflicts or arbitrarily reverting individual bug fixes would have a higher risk of regressions than taking the whole thing. It is now identical to what's in jessie-security, and almost identical to what's in sid (an extra commit making img_allowed_formats case-insensitive was accidentally left out of 3.20160506 and will be in the next release to sid). * The autopkgtest suite only includes img.t and not the complete test suite from sid, because turning the build-time tests into as-installed tests post-jessie involved a significant diffstat. Regards, S
