Hello all,
I'd like to ask for some feedback on the situation of CVE-2020-10938
which affects graphicsmagick. I have include both the LTS list and the
security team in the 'To' field as the vulnerability affects all
versions of graphicsmagick and it makes sense that the same approach
regarding this issue be applied across all Debian releases.
The specific issue is that the upstream changeset [0] includes two
functional changes, as described by the changelog entry:
* magick/compress.c (HuffmanDecodeImage): Fix signed overflow on
range check which leads to heap overflow in 32-bit
applications. Requires a relatively large file input to trigger.
Problem reported to the graphicsmagick-security mail address by
Justin Tripp on 2019-11-13.
(Ascii85Tuple): Fix thread safety issue by requiring caller to
pass in tuple buffer as an argument and having callers allocate
tuple buffer on the stack.
The first change is the one associated with CVE-2020-10938. The second
change, however, is not. I have contacted the upstream author and he
has informed me that he made both changes in the interest of maintaining
the overall quality and security of the code and that the CVE was only
assigned after the changes had been committed. He also noted that some
people would likely consider the thread safety issue to have security
implications.
That said, there are two possible approaches:
1. Remove the part of the change set which addresses the thread safety
issue, leaving only the part that pertains to CVE-2020-10938. This
is an easy and straightforward operation.
2. Leave the change set intact with both functional changes, and:
a. mention only CVE-2020-10938 in debian/changelog and the
associated advisories
b. mention CVE-2020-10938 and the thread safety issue as a separate
concern without an associated CVE
I am in favor of including both changes, but I am not certain about
whether it is better to mention both in the changelog and advisories or
whether it is better to only mention CVE-2020-10938. I lean slightly
toward mentioning both CVE-2020-10938 and the thread safety issue, but
if that is not a good idea I can be easily persuaded.
Regards,
-Roberto
[0] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/95abc2b694ce
--
Roberto C. Sánchez
