Re: What to do with jbig2dec in wheezy and jessie
On Thu, Mar 09, 2017 at 12:10:15PM +0100, Raphael Hertzog wrote:
> sorry for the delay...
> On Tue, 31 Jan 2017, Luciano Bello wrote:
> > On Thursday, 26 January 2017 21:05:46 EST Ola Lundqvist wrote:
> > > > I started to work on fixing jbig2dec/wheezy for
> > > > https://security-tracker.debian.org/tracker/CVE-2016-9601 but
> > > > the patch that allegedly fixes the current issue is rather invasive
> > > > and while looking at the git history you will quickly see
> > > > that allmost all the changes since the version that we have in wheezy and
> > > > jessie are potential security issues that were never assigned any CVE:
> > > > http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog
> > Hi Ola and Raphael,
> > First, sorry for delay in the answer.
> > About the jbig2dec, how can be sure that we are not breaking user
> > programs linked to the lib?
> Honestly, given the very low number of rdeps in Debian, I doubt that we
> have many users having custom programs built against that library.
> Upstream never bumped the SONAME so at least they act as if all the
> changes made so far are backwards compatible. So I would suggest to not
> spend too much time on this aspect and only consider whether the rdeps in
> Debian are working well enough.
> That said I'm not convinced upstream is following best practices
> for libraries very well but that is partly due because they see the
> library as a very tightly coupled with the two rdeps. Quoting
> https://ghostscript.com/jbig2dec.html :
> « This is a decoder only implementation, and it's primary use is in
> Ghostscript and MuPDF for decoding JBIG2 streams in PDF files. Thus its
> primary focus is the set of JBIG2 features supported in PDF. »
> So as long as we ensure that we don't break Ghostscript and MuPDF I think
> we are good enough.
> Shall I go ahead and prepare some test packages?