ImageMagick status - Heap Overflow ++ ? (Bugzilla # 2052)

David Eisenstein deisenst at gtw.net
Wed Nov 17 10:33:33 UTC 2004


Hello everyone,

First of all, a plug.  :-)  I have submitted my first .src.rpm to be
verified.  If you would like to verify the FC1 source package for
ImageMagick, or otherwise comment on it, just take your browser to

	<http://bugzilla.fedora.us/show_bug.cgi?id=2052#c23>

and have at it.  Please.  :-)

Secondly, I am a bit confused about the status of the the other portions
of the ImageMagick Bug ticket.  A RedHat 9 version was submitted for
verification by Marc Deslauriers on Sept. 12th for CAN-2004-0827 (Heap
overflow, the original issue).  Since then, two new vulnerabilities had
been identified which might affect RH9:  CAN-2003-0455 (temporary
filename) and CAN-2004-0981 (remote EXIF parsing buffer overflow).  Marc, 
are you planning on re-issuing .src.rpm's for those patches?

Various Red Hat 7.3 versions have also been submitted.  Some by Simon
Weller (also his first submissions for verify QA), with helpful
suggestions by Michal Jaegermann (before we became aware of CAN-2003-
0455 and CAN-2004-0981), and one by Martin Seigert, that has all extant 
patches in place, ready to be QA tested.

Except for this-- Michal Jaegermann has introduced some altered patches,
because he took issue with Red Hat's patch for CAN-2003-0455.  Mike's
issue (discussed in Comment #17 ff.) is that RH's patch introduces a new
bug - it creates temporary directories that are never deleted, one per
invocation of an ImageMagick utility.  So he has created a new patch to
replace RedHat's to take care of that.  After creasing my brow on his new
patch (mentioned in Comment #21), I have submitted some comments to him
about it, but I think what he has should work for taking care of both CAN-
2003-0455 and getting rid of the temporary directory created to address 
the CVE.

We need to decide whether or not to accept Michal Jaegermann's updated 
patch or not, and move forward with this.

Comments, anyone?

			-David




More information about the fedora-legacy-list mailing list