Hi Ola,
On Tue, Mar 21, 2017 at 06:52:59AM +0100, Salvatore Bonaccorso wrote:
> Hello Ola!
>
> I noticed you started triaging apng2gif for wheezy. Please note, do
> always not conclude that when a reproducer fails, that the issue is
> not present, the issue needs to be triaged as well studing the source.
> And the reporter has given here the hints for what the CVEs are
> assigned (actually done, after he pinged the security team, and I
> asked to request them via MITRE since the bugs already public in the
> BTS).
>
> I guess this is not necessary to say, but I just wanted to make sure
> how is our approach for issues.
>
> If you compile the sid version with ASAN you can see the issues
> reported by Dileep Kumar Jallepall, apart the memory allocation issue.
>
> I tend to mark the issues as no-dsa for jessie at least. For
> sid/stretch we maybe are actually better off if it is removed, since
> basically dead upstream afaict.
>
> Does this helps? I'm writing you since I saw your comments on the
> three bugs.
Sorry should add: I agree the code has significantly changed between
1.5 and 1.7, so code analisis might show that the issues are really
not present for wheezy and jessie. For example the #854447 issue might
only be present in 1.7, since the affected code seems introduced after
1.5.
Hope this gives some hints.
Salvatore