Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

To: debian-lts@lists.debian.org
Subject: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
From: Raphael Hertzog <hertzog@debian.org>
Date: Tue, 29 Nov 2016 12:14:10 +0100
Message-id: <[🔎] 20161129111410.padrpl3w2lylsdrz@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20161128114407.GB26261@miami.connexer.com>
References: <[🔎] 20161128060237.GA26261@miami.connexer.com> <[🔎] 20161128071326.jhvcaoavbkjpht4a@bogon.m.sigxcpu.org> <[🔎] 20161128114407.GB26261@miami.connexer.com>

Hi,

On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> Quite right:
> http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff

Somme comments:
- since we have no git history, it's nice to indicate in each patch what
  CVE it fixes (I like to name the patch according to the CVE it fixes too)
  here, I have to lookup the upstream ticket or commit to find out and in many
  cases, it's no longer possible since the patch refers to a
  trac.imagemagick.org URL which no longer exists and/or the commit does
  not have the CVE number :(
- in some cases, you have used anonscm.debian.org URL as reference for a
  patch like this one:
  https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/patch/?id=33b2d377b94eb738011bc7d5e90ca0a16ce4d471
  You should really strive to use a reference in the upstream repository
  because that's what everybody should use.

That's all I can say because I can't realistically review the content of
all patches.

> I suppose I should have been more clear in my request.  The built
> packages are there (retrievable by the .changes file I linked in my
> original message).  A very small number of the Debian bugs had files
> that could be used to produce buggy insecure behavior, but I was hoping
> that there would be something more comprehensive to check for
> regressions.  However, the unit tests themselves appear (at least to me)
> to provide excellent coverage, so they may be sufficient.  In any event,
> I have exhausted my available time for the month, so if anyone out there
> (especially heavy users of imagemagick, as I am not personally a
> particularly heavy user of imagemagick) could test these packages, then
> that would be excellent.

I did install your packages in my test VM and did a bunch of tests (with
convert, display and with tools linking against various libmagick*
including psftools, inkscape), and I have not found any issue.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

Follow-Ups:
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Guido Günther <agx@sigxcpu.org>
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Roberto C. Sánchez <roberto@connexer.com>

Prev by Date: Re: Qemu CVEs in Xen
Next by Date: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Previous by thread: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Next by thread: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Index(es):
- Date
- Thread