Re: How to handle freeimage package
On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote:
> On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote:
> >
> > So a useful next step would be to break those reports down into separate
> > bug reports and file them there so that upstream actually learns about
> > them.
>
> I don't think that makes much sense.
>
> When I checked, the last activity from upstream in the bug tracker was
> a year ago.
>
> Some of the older CVEs are fixed in the upstream VCS, but there are
> unfixed ones in the bug tracker going back to 2020.
>
> The 2024 CVEs are 21 buffer overflows and 2 NULL pointer dereferences,
> there is likely a lot of low hanging fruit one could fix (and then
> forward upstream) when spending 2 or 3 days on the package.
>
Even if upstream is dead, dormant, or not acting on bug reports, I agree
with Moritz that submitting the reports upstream (to SourceForge) is
still good and something that we should make an effort to do.
First, the bugs are in fact upstream bugs and if we can break them down,
identify, fix them, and then forward the fixes (as patches or PRs)
upstream, others will be able to find the issues and the related fixes.
Second, it seems like we would have to do all of those things (except
the "forward to upstream" part) in any case to fix the CVEs for LTS, so
the "forward to upstream" step is a only a very small additional step.
> For me it was an "I don't want to do that right now" and I didn't work
> on the package at that point, but I don't see a technical reason against
> someone fixing the CVEs.
>
So, whoever is working on freeimage (Ola?) should take into account that
this is part of what needs to be done.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: