Hi, * Daniel Kobras <[EMAIL PROTECTED]> [2007-09-30 13:28]: > On Sun, Sep 30, 2007 at 01:54:12AM +0200, Nico Golde wrote: > > I intend to NMU this bug on behalf of the testing security > > team. > > Next time, please leave the maintainers more than 12 hours to respond > when you NMU for a bug that's open for less than three days. It also > helps to drop the maintainers a note before you start doing some work to > avoid duplication.
Alright. > > I ported the patches to 6.2.4.5. The attached patch fixes > > the 4 CVE ids. > > Yes, and it break the package on 64bit archs Why? > , and introduces a new security hole in the DCM coders. Ah I see, do you mean this one? - AcquireMagickMemory((size_t) (max_value+1)*sizeof(*scale)); + scale=(Quantum *) AcquireQuantumMemory(length,sizeof(*scale)); > Nico, I appreciate your intent to help > with these bugs, but please don't blindly apply some random, unchecked > patches and call it a security upload. They weren't unchecked, I checked them (well I can make failures too ;). Since they don't apply with imagemagick sources in Debian there were also no blind applying here. > I'll fixup this mess with a > maintainer upload later on. It's currently test-building. Sorry for everything I broke, if you tell me what I exactly break I also can fix this. The reason for doing this NMU fairly fast is that there was no reaction in the BTS so I thought there is noone working on this. Any help I can give, please let me know and sorry again... Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpJSQIX6AEES.pgp
Description: PGP signature
