Hi, On Tue, Dec 27, 2016 at 04:32:02PM -0500, Antoine Beaupré wrote: > On 2016-12-27 00:52:06, Salvatore Bonaccorso wrote: > > Hi Antonie and Bastien, > > > > On Tue, Dec 20, 2016 at 02:58:21PM -0500, Antoine Beaupré wrote: > >> Hi secteam, > >> > >> I believe the fix for bug#845196 shipped with DSA-3726-1 is incomplete, > >> at least in stable. It does ship with this patch: > >> > >> https://github.com/ImageMagick/ImageMagick/commit/1be809ae06f2fcb094836960edb707f81422e964 > >> > >> but not this one: > >> > >> https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7 > >> > >> so it is missing one fputc check in convert. > >> > >> On 2016-12-20 13:34:03, Bastien Roucaries wrote: > >> > Please reopen and.notify sécurity team > >> > >> The bug report is actually still opened in stable, according to the BTS, > >> so I don't believe a change is required there. I have removed the fixed > >> marker from the security tracker and added a relevant note. > > > > So for reference, CVEs were assigned for those. Actually as well one > > more for the "fwrite issue in ReadGROUP4Image", we should fill that as > > separate bugreport. > > > > CVE assignment: > > http://www.openwall.com/lists/oss-security/2016/12/26/9 > > Hi! > > I see that some of those CVE assigments were integrated in the security > tracker, but I haven't reviewed them all. Am I correct in assuming that > all this is done and I don't need to review mitre's message in detail at > this point?
Yes, I did update the security-tracker information yesterday. Regards, Salvatore
