[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Security issues addressed in GraphicsMagick SVG reader
From:       Bob Friesenhahn <bfriesen () simple ! dallas ! tx ! us>
Date:       2016-05-31 13:56:55
Message-ID: alpine.GSO.2.20.1605310854360.4552 () freddy ! simplesystems ! org
[Download RAW message or body]

On Tue, 31 May 2016, Stefan Cornelius wrote:

> On Fri, 27 May 2016 09:37:38 -0500 (CDT)
> Bob Friesenhahn <bfriesen@simple.dallas.tx.us> wrote:
>
>> ===========================================
>> SVG Security Improvements in GraphicsMagick
>> ===========================================
>>
>> This is a summary of security improvements made to development
>> GraphicsMagick's SVG reader since the 1.3.23 release.  These
>> improvements were made in response to fuzz testing by Gustavo Grieco
>> (using Quickfuzz) which and which resulted in CVE-2016-2317 and
>> CVE-2016-2318.  We are thankful that Gustavo has been willing to
>> continue fuzz testing as improvements have been made.
>
> Hi,
>
> I'm curious, are these the CVEs for the issues that still have an
> outstanding CVE request at http://seclists.org/oss-sec/2016/q2/180 - or
> are they completely unrelated?
>
> (If they are indeed the same/related, can you give more details about
> the exact mapping?)

Gustavo Grieco's CVE request regarding DoS is completely unrelated to 
the listed CVEs (CVE-2016-2317/CVE-2016-2318).  Regardless, fixes were 
made for these two issues as well and are included in the release.

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
[prev in list] [next in list] [prev in thread] [next in thread]