On Sat, Dec 31, 2016 at 11:07 AM, Emilio Pozuelo Monfort <poch...@gmail.com> wrote: > On 28/12/16 23:08, Roberto C. Sánchez wrote: >> Hi Ola, >> >> The issues CVE-2016-8677 and CVE-2016-9559 were fixed by Antione when he >> uploaded that latest imagemagick update to LTS. However, the >> announcement (DLA-756-1) did not list those issues among the issues that >> were addressed by that update. I have already mentioned it to him a >> couple of days ago via private email. > > Hmm, it seems to me that the CVE-2016-8677 fix is incomplete: > > Upstream fix: > https://github.com/ImageMagick/ImageMagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60 > > Our patch: > https://anonscm.debian.org/cgit/collab-maint/debian-lts/imagemagick.git/tree/debian/patches/0127-CVE-2016-8677.patch?h=debian/8%256.7.7.10-5%2bdeb7u10 > > I have pushed a fix to the git repo, see: > > https://anonscm.debian.org/cgit/collab-maint/debian-lts/imagemagick.git/commit/?id=897f6693d7a98c93e813c0522effdbd69df4cd11 > > Does that look correct? Unfortunately there's no test case for this issue. How > do you normally test imagemagick? I usually run make check with valgrind on, and I have with recent version a poc directiry where I put poc.
Here problematic file is here: https://github.com/ImageMagick/ImageMagick/files/472155/19.crashes.zip you should run identify nameoffile backporting tiff is usually a nightmare due to frequent code change on imagemagick side > > Cheers, > Emilio
