Sami Liedes wrote:
> Hmm, ok. Perhaps some of these bugs (or at least the equivalent
> #412945 which contains some of the same problems that were severity
> grave on graphicsmagick but for imagemagick) should be severity grave
> so the release manager will have to explicitly decide to etch-ignore
> if he decides to release with known security issues? Not that I doubt
> the ability of the RM or the security team to keep track of these,
> just trying to prevent mistakes :) But I'll leave all the severity
> setting to you, I'm hesitant to interfere since I'm not (yet?) a DD.
I disagree about the severity. The code history of graphicksmagick/
imagemagick makes it fairly obvious that they are both unsuitable
for processing images from untrusted sources. An afternoon of fuzzing
will most likely reveal another dozen ways to potentially trigger code
injection.
It might be a good idea to document this more clearly, if this isn't
done yet.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
