From mboxrd@z Thu Jan  1 00:00:00 1970
From: Kei Kebreau <kei@openmailbox.org>
Subject: Re: [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes CVE-2016-{8677,
	8862}].
Date: Tue, 25 Oct 2016 23:13:27 -0400
Message-ID: <878ttb7qg8.fsf@openmailbox.org>
References: <87eg346vct.fsf@openmailbox.org> <20161026014219.GA1600@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48999)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1bzEf7-0003dO-Vq
	for guix-devel@gnu.org; Tue, 25 Oct 2016 23:13:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1bzEf3-0007EO-Ps
	for guix-devel@gnu.org; Tue, 25 Oct 2016 23:13:57 -0400
Received: from smtp29.openmailbox.org ([62.4.1.63]:33334
	helo=smtp14.openmailbox.org)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <kei@openmailbox.org>) id 1bzEf3-0007CX-HY
	for guix-devel@gnu.org; Tue, 25 Oct 2016 23:13:53 -0400
In-Reply-To: <20161026014219.GA1600@jasmine> (Leo Famulari's message of "Tue,
	25 Oct 2016 21:42:19 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Tue, Oct 25, 2016 at 04:12:50PM -0400, Kei Kebreau wrote:
>> From 82f792a33f55e6514d3d4f8285e9be3b8c6e161a Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Tue, 25 Oct 2016 16:03:26 -0400
>> Subject: [PATCH] gnu: imagemagick: Update to 7.0.3-4 [Fixes
>>  CVE-2016-{8677,8862}].
>>=20
>> * gnu/packages/imagemagick.scm (imagemagick): Update to 7.0.3-4.
>
> So far, we've packaged ImageMagick 6, which is still maintained.
> Apparently the API changed in 7. I don't know the status of adoption of
> the new version.
>
>> See:
>> https://blogs.gentoo.org/ago/2016/10/07/imagemagick-memory-allocate-fail=
ure-in-acquirequantumpixels-quantum-c
>
> On the ImageMagick-6 branch, this was fixed in
> 524349d2b3fed7fa0e53de2c908458474eb24418 and released as 6.9.5-10.
>
> http://git.imagemagick.org/repos/ImageMagick/commit/524349d2b3fed7fa0e53d=
e2c908458474eb24418
>
>> and
>> https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-fa=
ilure-in-acquiremagickmemory-memory-c/.
>
> I don't see this fix on the 6 branch, but a similar change was made
> earlier in 3c9533980a9476caa649de3b248dfefd3f182866 and released in
> 6.9.4-0.

Well, I guess we were fine to begin with!

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYEB9XAAoJEOal7jwZRnoNOpkQAI9nzebxmd7bocxcx9EotN+0
ob7BWkCynq2y5DFp2H+cu8HuCInmnO8CuXpNmGNCZ8uGVRx1JolmiN4bg5S7rv6l
D2bjuwFEk51Uycaxydoe70wMqBxiAiav0OOymIsXxHYAIy9jwUB85Qu0t92MTpGj
qdOQRyzsipXFLAK/5PANtrPX8P1MNC1cJlB6dsiNoQZO5fkdZEOC0eFbFl8iwkji
TMLOCz0lRwbMunPGfWjwTTMUmJYdMboguCaadBn04f5UXahxE/qXj54pfh0c67Yi
iXgmf6UdMZ2ctxpPq8Z0UQkqtHl05PDxIr6jM4QHJuNe4HQp+R21AC/AUlhV+OUR
hhgUknIsM7tc4FeuOmGd9BN+ubOJzc6+qEXn2VgRhaibaPOSfiEmlNOTOxpkb2aW
UX1nujOqN+ixLtBk/LpjGmykCjrJjbxC9W7NkOTX3A/12KeQiwxwmjgQgV9JOznH
LtHnoBjEhks3J/mHHfl/mhojQ8FcIdkKm3oxBaymmxN4/Lvqhmp4qceE+Gx3os+s
NprYn0roT4FB//i6/iWUNM0TjAV9HsKivA2p6XFAYlwHEqMAVdi2mrfG/mLhbwPd
cnEwInr3f79xThY9QvourHOJmADUuSqdTo/EB6lscVXWLAk6cXT5jDknMGbC9+iO
zGYr6tG5nke2FzjeKhZF
=Pw8J
-----END PGP SIGNATURE-----
--=-=-=--