From 196 not solved, security

[bastien-roucaries]

Three CVEs have been assigned for those issues. AFAICT, the one for the error handling of the fwrite's in ReadGROUP4Image would still be open?

Check return of write function

Debian bug: https://bugs.debian.org/845196
Reference URL: https://security-tracker.debian.org/845196
Upstream commit:

• 933e96f
  02a046e7
• 4e914bb
  710069f9 Upstream issue: Completion of error handling #196
  Upstream version fixed: 7.0.1-10

The above fixes may be incomplete, according to the upstream issue. In
addition, the -6 branch seems to have an incomplete fix as well.

Use CVE-2016-10060 for the issue fixed in 933e96f.
Use CVE-2016-10061 for the issue fixed in 4e914bb.

Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
specifically noted at the beginning of issues/196, but not fixed in
either of these commits. It is not the same as the fputc issue in
ReadGROUP4Image.

Origin: https://marc.info/?l=oss-security&m=148278818528413&w=2

[mikayla-grace]

Best practices suggest that an application check the status of each and every system call and we're working on that over time. #196 was classified as a low priority because no reproducible exploit was provided. However, renewed interest in the issue pushes the priority higher. Consequently we intend to provide a patch within the next few days.