Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Jan 2015 15:41:50 +0100
From: Bastien ROUCARIES <roucaries.bastien@...il.com>
To: Gynvael Coldwind <gynvael@...dwind.pl>
Cc: oss-security@...ts.openwall.com, jodie.cunningham+osssecurity@...il.com
Subject: Re: Imagemagick fuzzing bug

On Wed, Dec 24, 2014 at 10:32 PM, Gynvael Coldwind <gynvael@...dwind.pl> wrote:
> Hey,
>
> Original reporter from google side here.
>
>>
>> You are aware that there is graphicsmagick which shares lots of code
>> with im (it's an early fork)? It'd be nice to also report these issues
>> to them if they apply. (I also reported a couple of issues in both
>> im/gm lately and devs were always quick to fix things)
>
>
> Do you know if either im or gm backport fixes from each other?
> I fuzzed only im, so I've reported to im. I don't mind reporting to both in
> the future, but if they DO backport fixes, that would lead into collisions
> (i.e. two different fixes for one bug, makes merging harder).

Usually I ask fordebian graphickmagick to check the code condition.
But to my best knowledge they do not backport, except if you ask. So
you should try your image on graphicmagick and check if it crash

BTW one patch was not correct please found updated patch queue here:
http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/log/?h=debian-patches/6.8.9.9-5

I have backported to 6.7.7.10 here
http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/log/?h=debian/6.7.7.10-5%2bdeb7u4
(not yet fully tested)

And i plan to backport to 6.6.0.4

Bastien

> Cheers,
> Gynvael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.