Hello everyone, First of all, a plug. :-) I have submitted my first .src.rpm to be verified. If you would like to verify the FC1 source package for ImageMagick, or otherwise comment on it, just take your browser to <http://bugzilla.fedora.us/show_bug.cgi?id=2052#c23> and have at it. Please. :-) Secondly, I am a bit confused about the status of the the other portions of the ImageMagick Bug ticket. A RedHat 9 version was submitted for verification by Marc Deslauriers on Sept. 12th for CAN-2004-0827 (Heap overflow, the original issue). Since then, two new vulnerabilities had been identified which might affect RH9: CAN-2003-0455 (temporary filename) and CAN-2004-0981 (remote EXIF parsing buffer overflow). Marc, are you planning on re-issuing .src.rpm's for those patches? Various Red Hat 7.3 versions have also been submitted. Some by Simon Weller (also his first submissions for verify QA), with helpful suggestions by Michal Jaegermann (before we became aware of CAN-2003- 0455 and CAN-2004-0981), and one by Martin Seigert, that has all extant patches in place, ready to be QA tested. Except for this-- Michal Jaegermann has introduced some altered patches, because he took issue with Red Hat's patch for CAN-2003-0455. Mike's issue (discussed in Comment #17 ff.) is that RH's patch introduces a new bug - it creates temporary directories that are never deleted, one per invocation of an ImageMagick utility. So he has created a new patch to replace RedHat's to take care of that. After creasing my brow on his new patch (mentioned in Comment #21), I have submitted some comments to him about it, but I think what he has should work for taking care of both CAN- 2003-0455 and getting rid of the temporary directory created to address the CVE. We need to decide whether or not to accept Michal Jaegermann's updated patch or not, and move forward with this. Comments, anyone? -David -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
