What to do with jbig2dec in wheezy and jessie
I started to work on fixing jbig2dec/wheezy for
the patch that allegedly fixes the current issue is rather invasive
and while looking at the git history you will quickly see
that allmost all the changes since the version that we have in wheezy and
jessie are potential security issues that were never assigned any CVE:
- Many CERT reported issues
- Many fuzzing related bugs
- Many valgrind errors
- Many heap overflow/underflow
Thus I wonder if the proper approach is not to update the version
that we have in wheezy/jessie to be in sync with what's in stretch/sid.
The number of reverse dependencies is rather low and we should be able
to ensure that they are still working as expected.
I can only do that in wheezy if we also do it in jessie, so I seek the
input of the security team as well. I can prepare the update for both
Let me know your thoughts.
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/