False vuxml alarms (ImageMagick)
Oliver Eikemeier
eikemeier at fillmore-labs.com
Thu Aug 12 03:09:21 PDT 2004
Andrey Chernov wrote:
> On Thu, Aug 12, 2004 at 11:34:30AM +0200, Oliver Eikemeier wrote:
>> Andrey Chernov wrote:
>>
>>> Hi. When I try to build ImageMagick, I got error below, but it is
>>> false
>>> alarm about libpng, which is already patched to remove overflow (and
>>> freshly installed on my machine). I have no idea how to fix
>>> ImageMagick
>>> building properly, please somebody do.
>>>
>>> ===> ImageMagick-6.0.2.7 has known vulnerabilities:
>>>>> libpng stack-based buffer overflow and other code concerns.
>>> Reference:
>>> <http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.
>>> html>
>>>>> Please update your ports tree and try again.
>>
>> http://secunia.com/advisories/12236
>> and
>> http://www.imagemagick.org/www/Changelog.html
>>
>> list ImageMagick-6.0.2.7 as vulnerable. You can build it nevertheless
>> with make DISABLE_VULNERABILITIES=yes ...
>
> I talk not about workaround, I know it. I talk about the way of fixing
> it
> _properly_. It is NOT vulnerable really.
The vulnerability database is open for every committer to commit to. But
before changing the entry: what makes you believe version 6.0.2.7 is not
vulnerable? http://www.imagemagick.org/www/Changelog.html seems to be a
good indicator that it is...
-Oliver
More information about the freebsd-ports
mailing list