[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID


On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> Quite right:
> http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff

Somme comments:
- since we have no git history, it's nice to indicate in each patch what
  CVE it fixes (I like to name the patch according to the CVE it fixes too)
  here, I have to lookup the upstream ticket or commit to find out and in many
  cases, it's no longer possible since the patch refers to a
  trac.imagemagick.org URL which no longer exists and/or the commit does
  not have the CVE number :(
- in some cases, you have used anonscm.debian.org URL as reference for a
  patch like this one:
  You should really strive to use a reference in the upstream repository
  because that's what everybody should use.

That's all I can say because I can't realistically review the content of
all patches.

> I suppose I should have been more clear in my request.  The built
> packages are there (retrievable by the .changes file I linked in my
> original message).  A very small number of the Debian bugs had files
> that could be used to produce buggy insecure behavior, but I was hoping
> that there would be something more comprehensive to check for
> regressions.  However, the unit tests themselves appear (at least to me)
> to provide excellent coverage, so they may be sufficient.  In any event,
> I have exhausted my available time for the month, so if anyone out there
> (especially heavy users of imagemagick, as I am not personally a
> particularly heavy user of imagemagick) could test these packages, then
> that would be excellent.

I did install your packages in my test VM and did a bunch of tests (with
convert, display and with tools linking against various libmagick*
including psftools, inkscape), and I have not found any issue.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: