False vuxml alarms (ImageMagick)
Oliver Eikemeier
eikemeier at fillmore-labs.com
Thu Aug 12 03:55:22 PDT 2004
Andrey Chernov wrote:
> On Thu, Aug 12, 2004 at 12:10:57PM +0200, Oliver Eikemeier wrote:
>> The vulnerability database is open for every committer to commit to.
>> But
>> before changing the entry: what makes you believe version 6.0.2.7 is
>> not
>> vulnerable? http://www.imagemagick.org/www/Changelog.html seems to be a
>> good indicator that it is...
>
> Do you mean vuln.xml corresponding entry (ImageMagick) should be
> removed?
The author leaves me with the impression that there is additional code
in ImageMagick that is vulnerable to the exploit. Do you thing the entry
in http://www.imagemagick.org/www/Changelog.html is wrong?
> I mean this part printed, it is wrong:
>
>>>>>> libpng stack-based buffer overflow and other code concerns.
>>>> Reference:
>>>> <http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.
>>>> html>
>
> because libpng is already fixed.
Perhaps we should change the title to `errors in handling of specially
crafted png files' or make an extra entry for ImageMagick. But since all
problems seem to be exploited by the same set of png files, the former
seems to be the proper solution.
-Oliver
More information about the freebsd-ports
mailing list