Summary: | media-gfx/graphicsmagick is also subject to format string issues | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thierry Carrez (RETIRED) <koon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | graphics+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Thierry Carrez (RETIRED)
2006-01-18 12:19:00 UTC
Calling grapics herd _very_ late to advise on this. I suppose this is the equivalent in GraphicsMagick magick/image.c: /* Rectify multi-image file support. */ FormatString(filename,image_info->filename,0); if ((LocaleCompare(filename,image_info->filename) != 0) && (strchr(filename,'%') == (char *) NULL)) image_info->adjoin=False; magick_info=GetMagickInfo(magic,exception); if (magick_info != (const MagickInfo *) NULL) image_info->adjoin&=magick_info->adjoin; return(True); } if (image_info->affirm) return(True); /* Determine the image format from the first few bytes of the file. */ vanquirius: yes, please apply same patch ? I bumped graphicsmagick to 1.1.7 and applied taviso's patch from the imagemagick bug. The code is a bit different from imagemagick and I can't reproduce the issue with this patch as described in the debian bugtracker. That said, this patch may or may not be correct - an extra set of eyes would probably be in order :) - FormatString(filename,image_info->filename,0); + FormatString(filename,"%s",image_info->filename,0); Looks good to me. Arches please test and mark 1.1.7 stable x86 stable \(^.^)/ ppc stable GLSA 200602-13 |