Date: Thu, 12 Aug 2004 11:42:57 -0400 From: Michael Edenfield <kutulu@kutulu.org> To: Andrey Chernov <ache@nagual.pp.ru>, Oliver Eikemeier <eikemeier@fillmore-labs.com>, ports@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: False vuxml alarms (ImageMagick) Message-ID: <20040812154257.GA1084@wombat.jungle> In-Reply-To: <20040812111923.GA95203@nagual.pp.ru> References: <20040812102051.GA92918@nagual.pp.ru> <544C53D4-EC4E-11D8-887A-00039312D914@fillmore-labs.com> <20040812111923.GA95203@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Andrey Chernov <ache@nagual.pp.ru> [040812 07:21]: > On Thu, Aug 12, 2004 at 12:56:57PM +0200, Oliver Eikemeier wrote: >=20 > > >>>>>>libpng stack-based buffer overflow and other code concerns. > >=20 > > Perhaps we should change the title to `errors in handling of specially= =20 > > crafted png files' or make an extra entry for ImageMagick. But since al= l=20 > > problems seem to be exploited by the same set of png files, the former= =20 > > seems to be the proper solution. >=20 > But this one should be removed. The root of whole problem is: ImageMagick= =20 > not understand patched libpng well. The entry should be rewritted to=20 > something like that, instead of confusing one. Please don't ask me to go= =20 > and commit, not with my bad English. I beleive the phrasing you are looking for is something like: "Missing support for latest libpng security updates." or something like that, which indicates that ImageMagik itself doesn't have a security flaw but it also doesn't work with the patched libpng. Also, would the same situation apply to other ports (mozilla and firefox, for example) which just use libpng? I haven't looked too deeply into the problem, i just upgrade libpng and everything else :) --K --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBG5ABfY3jRMAKmKERAh+VAJ4n23Zz9x0DZCPrGCHF7n3RsvfYTwCgk/In UDDGG11m2bgxldSSlU18Vr8= =JM/1 -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040812154257.GA1084>