False vuxml alarms (ImageMagick)
ache at nagual.pp.ru
Thu Aug 12 04:22:13 PDT 2004
On Thu, Aug 12, 2004 at 12:56:57PM +0200, Oliver Eikemeier wrote:
> The author leaves me with the impression that there is additional code
> in ImageMagick that is vulnerable to the exploit. Do you thing the entry
> in http://www.imagemagick.org/www/Changelog.html is wrong?
Yes, you are right about this one. I just compare 6.0.2 and 6.0.4 and
found that 6.0.2 not understand new (fixed) libpng error codes and going
mad as result. This one record must be keeped.
> >>>>>>libpng stack-based buffer overflow and other code concerns.
> Perhaps we should change the title to `errors in handling of specially
> crafted png files' or make an extra entry for ImageMagick. But since all
> problems seem to be exploited by the same set of png files, the former
> seems to be the proper solution.
But this one should be removed. The root of whole problem is: ImageMagick
not understand patched libpng well. The entry should be rewritted to
something like that, instead of confusing one. Please don't ask me to go
and commit, not with my bad English.
Andrey Chernov | http://ache.pp.ru/
More information about the freebsd-ports