False vuxml alarms (ImageMagick)

Oliver Eikemeier eikemeier at fillmore-labs.com
Thu Aug 12 03:55:22 PDT 2004

Andrey Chernov wrote:

> On Thu, Aug 12, 2004 at 12:10:57PM +0200, Oliver Eikemeier wrote:
>> The vulnerability database is open for every committer to commit to. 
>> But
>> before changing the entry: what makes you believe version is 
>> not
>> vulnerable? http://www.imagemagick.org/www/Changelog.html seems to be a
>> good indicator that it is...
> Do you mean vuln.xml corresponding entry (ImageMagick) should be 
> removed?

The author leaves me with the impression that there is additional code 
in ImageMagick that is vulnerable to the exploit. Do you thing the entry 
in http://www.imagemagick.org/www/Changelog.html is wrong?

> I mean this part printed, it is wrong:
>>>>>> libpng stack-based buffer overflow and other code concerns.
>>>>  Reference:
>>>> <http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.
>>>> html>
> because libpng is already fixed.

Perhaps we should change the title to `errors in handling of specially 
crafted png files' or make an extra entry for ImageMagick. But since all 
problems seem to be exploited by the same set of png files, the former 
seems to be the proper solution.


More information about the freebsd-ports mailing list