On Sun, 9 Jul 2017, László Böszörményi wrote:
Hi Salvatore,
On Sun, Jul 9, 2017 at 10:06 AM, Salvatore Bonaccorso <car...@debian.org> wrote:
the following vulnerability was published for graphicsmagick.
CVE-2017-11102[0]:
Thanks for the heads-up - luckily I already known this. At the moment
I'm sure it affects Stretch as well. I mean, JNG support is not
enabled, neither disabled and depends on the software environment
GraphicsMagick compiled in. This means any user may compile
GraphicsMagick on his/her system, can be vulnerable. The fix is in two
commits and while the second seems to be a code cleanup only, it
breaks the package. Pinged upstream about it, but I still waiting for
the answer.
As far as I am aware, I do not have any email from you about this.
While there was intermediate breakage, the png.c changes between
Mercurial changeset 15059:dea93a690fc1 and 15066:e8f859704230 are
believed to solve the assertion problem, as well as solve a memory
leak problem in the error path. The test suite is completely passing.
hg diff -r 15059 -r 15066 coders/png.c
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
