[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RFC - ImageMagick, proper testing, and handling issues without a CVE ID



Greetings all,

I have prepared an update of ImageMagick that takes the work Ben
Hutchings started and incorporates patches for all remaining security
issues which have been fixed in jessie [0].

The nature of my request in this message is:

 1. I would appreciate it if someone would take a look at the package
    (.dsc [1], .changes [2]) and see if anything appears out of place.
    The changes that Ben made combined with the changes that I made
    total about 80 patches, so I would feel more comfortable uploading
    if someone else weighed in.
 2. Also, I am wondering how to handle testing.  After I finished
    integrating all of the patches I found that the test suite failed to
    pass (though this did not cause the package to fail to build).  I
    built the last wheezy version of ImageMagick (deb7u7) and found that
    all the tests passed for that version.  I carefully audited the
    patches, found some mistakes which I corrected, found some changes
    which had later changes in upstream to partially revert or correct,
    etc.  After all of that, I have the unit tests passing again.  Is
    there more extensive testing that I need to do?
 3. I am seeking advice about how to handle the issues which do not have
    a CVE ID.  On the security tracker page the issues to which I refer
    appear with an ID starting with TEMP.  For the moment I have
    annotated the changelog entries that correspond to specific CVE IDs
    with those IDs and, based on the pattern in Ben's changelog entries,
    I have not specifically annotated the issues.  Is this the correct
    approach?  When I post the DLA, would I likewise list those issues
    without specific IDs?

I understand if the review takes some time, but please post back to the
list to let me and others know that you are reviewing these packages.
That will prevent duplication of effort and will also let me know that
someone is looking.  If hear nothing by Wednesday evening (EST) then I
will proceed with uploading the package I have built and release a
corresponding DLA.

Regards,

-Roberto

[0] https://security-tracker.debian.org/tracker/source-package/imagemagick
[1] http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u8.dsc
[2] http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u8_amd64.changes

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Attachment: signature.asc
Description: Digital signature


Reply to: