From owner-freebsd-ports@FreeBSD.ORG  Thu Aug 12 10:55:22 2004
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4DC6316A4CE; Thu, 12 Aug 2004 10:55:22 +0000 (GMT)
Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de
	[212.202.50.15])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 06A5A43D41; Thu, 12 Aug 2004 10:55:22 +0000 (GMT)
	(envelope-from eikemeier@fillmore-labs.com)
Received: from dhcp-13.local ([172.16.0.13] helo=dhcp-10.local)
	by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168)
	(Exim 4.41 (FreeBSD))
	id 1BvDEs-000HuT-Hv; Thu, 12 Aug 2004 12:55:21 +0200
Date: Thu, 12 Aug 2004 12:56:57 +0200
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v482)
To: Andrey Chernov <ache@nagual.pp.ru>
From: Oliver Eikemeier <eikemeier@fillmore-labs.com>
In-Reply-To: <20040812102051.GA92918@nagual.pp.ru>
Message-Id: <544C53D4-EC4E-11D8-887A-00039312D914@fillmore-labs.com>
Content-Transfer-Encoding: 7bit
User-Agent: KMail/1.5.9
cc: ports@FreeBSD.ORG
cc: security@FreeBSD.ORG
Subject: Re: False vuxml alarms (ImageMagick)
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Aug 2004 10:55:22 -0000

Andrey Chernov wrote:

> On Thu, Aug 12, 2004 at 12:10:57PM +0200, Oliver Eikemeier wrote:
>> The vulnerability database is open for every committer to commit to. 
>> But
>> before changing the entry: what makes you believe version 6.0.2.7 is 
>> not
>> vulnerable? http://www.imagemagick.org/www/Changelog.html seems to be a
>> good indicator that it is...
>
> Do you mean vuln.xml corresponding entry (ImageMagick) should be 
> removed?

The author leaves me with the impression that there is additional code 
in ImageMagick that is vulnerable to the exploit. Do you thing the entry 
in http://www.imagemagick.org/www/Changelog.html is wrong?

> I mean this part printed, it is wrong:
>
>>>>>> libpng stack-based buffer overflow and other code concerns.
>>>>  Reference:
>>>> <http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d.
>>>> html>
>
> because libpng is already fixed.

Perhaps we should change the title to `errors in handling of specially 
crafted png files' or make an extra entry for ImageMagick. But since all 
problems seem to be exploited by the same set of png files, the former 
seems to be the proper solution.

-Oliver