Control: tags -1 + confirmed On Mon, 2016-01-18 at 21:39 +0100, Vincent Fourmond wrote: > > > On Thu, Jan 14, 2016 at 10:49 PM, Vincent Fourmond > <fourm...@debian.org> wrote: > On Thu, Jan 14, 2016 at 10:44 PM, Adam D. Barratt > <a...@adam-barratt.org.uk> wrote: > Control: tags -1 + moreinfo > > On Thu, 2016-01-14 at 22:33 +0100, Vincent Fourmond > wrote: > > The imagemagick maintainers (mostly Bastien) have > prepared a new > > version of imagemagick for stable that fixes a > series of minor > > security issues that the security team did not deem > worthy of an > > upload to stable-security. Can we upload the > following package ? Here > > is the changelog: > > While I've not checked each fix individually (mostly > due to the lack of > Debian bugs referenced), at least these changes: > > > - Fix an integer overflow that can lead to a > buffer overrun > > in the icon parsing code (LP: #1459747, > closes: #806441) > > - Fix an integer overflow that can lead to a > double free in > > pict parsing (LP: #1448803, closes: #806441). > > claim not to be fixed in unstable according to the BTS > metadata, which > is a pre-requisite for fixing them in stable. Please > could you clarify > the status of those and the other fixes. > > > You are unfortunately correct. We have uploaded a fix to > experimental, but it may not make its way before a while to > unstable, so probably the wisest course is to backport the > changes to unstable, and then, I'll get back to you. > > > I have uploaded a -7 version to unstable that fixes the security > problems mentioned above (some of those had been fixed before). I also > have updated the changelog to make the changes more easy to track. > Essentially, the upload I'm proposing (debdiff to stable attached) > makes stable and unstable identical, since there were only security > fixes involved (the bulk of the work is happening in experimental, but > there are transitions involved, so it's not very fast...). Is that OK > for an upload to jpu ?
The no-op changes to the patches you haven't changed (i.e. the first 56) are rather noisy. Some of the new patches also appear to include unrelated changes; for instance: +Subject: [PATCH] Fix PixelColor off by one on i386 [...] +- "XmlMissingElement", "<levels>, slot \"%s\"", slot); ++ "XmlMissingElement","<levels>, slot \"%s\"",slot); Assuming that the resulting package has been tested on Jessie, please go ahead. Regards, Adam
