Re: What to do with jbig2dec in wheezy and jessie
- To: Luciano Bello <firstname.lastname@example.org>
- Cc: Ola Lundqvist <email@example.com>, Debian LTS <firstname.lastname@example.org>, Debian Security Team <email@example.com>, firstname.lastname@example.org, Jonas Smedegaard <email@example.com>
- Subject: Re: What to do with jbig2dec in wheezy and jessie
- From: Raphael Hertzog <firstname.lastname@example.org>
- Date: Thu, 9 Mar 2017 12:10:15 +0100
- Message-id: <[🔎] email@example.com>
- Mail-followup-to: Raphael Hertzog <firstname.lastname@example.org>, Luciano Bello <email@example.com>, Ola Lundqvist <firstname.lastname@example.org>, Debian LTS <email@example.com>, Debian Security Team <firstname.lastname@example.org>, email@example.com, Jonas Smedegaard <firstname.lastname@example.org>
- In-reply-to: <1669265.PfsIaU1miV@box>
- References: <email@example.com> <CABY6=0kSDP22y6RZYTcgkF5Wqk1NDR3iGFfWZG5DLiM9eBE59w@mail.gmail.com> <1669265.PfsIaU1miV@box>
sorry for the delay...
On Tue, 31 Jan 2017, Luciano Bello wrote:
> On Thursday, 26 January 2017 21:05:46 EST Ola Lundqvist wrote:
> > > I started to work on fixing jbig2dec/wheezy for
> > > https://security-tracker.debian.org/tracker/CVE-2016-9601 but
> > > the patch that allegedly fixes the current issue is rather invasive
> > > and while looking at the git history you will quickly see
> > > that allmost all the changes since the version that we have in wheezy and
> > > jessie are potential security issues that were never assigned any CVE:
> > > http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog
> Hi Ola and Raphael,
> First, sorry for delay in the answer.
> About the jbig2dec, how can be sure that we are not breaking user
> programs linked to the lib?
Honestly, given the very low number of rdeps in Debian, I doubt that we
have many users having custom programs built against that library.
Upstream never bumped the SONAME so at least they act as if all the
changes made so far are backwards compatible. So I would suggest to not
spend too much time on this aspect and only consider whether the rdeps in
Debian are working well enough.
That said I'm not convinced upstream is following best practices
for libraries very well but that is partly due because they see the
library as a very tightly coupled with the two rdeps. Quoting
« This is a decoder only implementation, and it's primary use is in
Ghostscript and MuPDF for decoding JBIG2 streams in PDF files. Thus its
primary focus is the set of JBIG2 features supported in PDF. »
So as long as we ensure that we don't break Ghostscript and MuPDF I think
we are good enough.
Shall I go ahead and prepare some test packages?
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/