Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
On Tue, Nov 29, 2016 at 12:14:10PM +0100, Raphael Hertzog wrote:
> On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> > Quite right:
> > http://people.debian.org/~roberto/imagemagick_188.8.131.52-5+deb7u7_184.108.40.206-5+deb7u8.diff
> Somme comments:
> - since we have no git history, it's nice to indicate in each patch what
> CVE it fixes (I like to name the patch according to the CVE it fixes too)
> here, I have to lookup the upstream ticket or commit to find out and in many
> cases, it's no longer possible since the patch refers to a
> trac.imagemagick.org URL which no longer exists and/or the commit does
> not have the CVE number :(
My initial post to the list had a question about how to handle the
issues without a CVE ID in the DLA. The suggestion was to annotate the
corresponding Debian bug numbers. I can do the same for the changelog
entries, assuming that it is not a problem that all those bugs will then
have closure notices related to this upload.
I named the patches by the title/description of the issue in the Debian
security tracker and except for a couple of changes applied them
chronologically. It would not be difficult for me to go through the
list quickly and match up the patches and bug numbers.
> - in some cases, you have used anonscm.debian.org URL as reference for a
> patch like this one:
> You should really strive to use a reference in the upstream repository
> because that's what everybody should use.
I did my best to find upstream references wherever possible. In some
cases, that was not possible because of the age of the issue and related
changes. It appears that at some point over the last months or years
that upstream has decommissioned their trac and subversion sites and
moved everything to GitHub. In some instances I was able to examine the
GitHub history and identify where an older change had been migrated in,
but I was not able to do that in every case.
If the change which I identified in anonscm had a reference to upstream,
I would verify that they two were related and then use the upstream
reference in preference to the anonscm reference.
> That's all I can say because I can't realistically review the content of
> all patches.
> > I suppose I should have been more clear in my request. The built
> > packages are there (retrievable by the .changes file I linked in my
> > original message). A very small number of the Debian bugs had files
> > that could be used to produce buggy insecure behavior, but I was hoping
> > that there would be something more comprehensive to check for
> > regressions. However, the unit tests themselves appear (at least to me)
> > to provide excellent coverage, so they may be sufficient. In any event,
> > I have exhausted my available time for the month, so if anyone out there
> > (especially heavy users of imagemagick, as I am not personally a
> > particularly heavy user of imagemagick) could test these packages, then
> > that would be excellent.
> I did install your packages in my test VM and did a bunch of tests (with
> convert, display and with tools linking against various libmagick*
> including psftools, inkscape), and I have not found any issue.
Thanks for the testing and for the feedback on the changes.
Roberto C. Sánchez