Date: Thu, 12 Aug 2004 12:10:57 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: Andrey Chernov <ache@nagual.pp.ru> Cc: security@FreeBSD.ORG Subject: Re: False vuxml alarms (ImageMagick) Message-ID: <E7492754-EC47-11D8-887A-00039312D914@fillmore-labs.com> In-Reply-To: <20040812094655.GB89851@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrey Chernov wrote: > On Thu, Aug 12, 2004 at 11:34:30AM +0200, Oliver Eikemeier wrote: >> Andrey Chernov wrote: >> >>> Hi. When I try to build ImageMagick, I got error below, but it is >>> false >>> alarm about libpng, which is already patched to remove overflow (and >>> freshly installed on my machine). I have no idea how to fix >>> ImageMagick >>> building properly, please somebody do. >>> >>> ===> ImageMagick-6.0.2.7 has known vulnerabilities: >>>>> libpng stack-based buffer overflow and other code concerns. >>> Reference: >>> <http://www.FreeBSD.org/ports/portaudit/f9e3e60b-e650-11d8-9b0a-000347a4fa7d. >>> html> >>>>> Please update your ports tree and try again. >> >> http://secunia.com/advisories/12236 >> and >> http://www.imagemagick.org/www/Changelog.html >> >> list ImageMagick-6.0.2.7 as vulnerable. You can build it nevertheless >> with make DISABLE_VULNERABILITIES=yes ... > > I talk not about workaround, I know it. I talk about the way of fixing > it > _properly_. It is NOT vulnerable really. The vulnerability database is open for every committer to commit to. But before changing the entry: what makes you believe version 6.0.2.7 is not vulnerable? http://www.imagemagick.org/www/Changelog.html seems to be a good indicator that it is... -Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E7492754-EC47-11D8-887A-00039312D914>