[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About the security issues affecting imagemagick in Jessie

Hi Hugo, hi all,

On  So 01 Sep 2019 00:26:24 CEST, Hugo Lefeuvre wrote:

Hi Mike,

> I have recently worked on these issues (in the last two weeks, in fact). :-)
> Most of these issues are no-dsa, either very minor from a security point of
> view or the patches are too unclear/unstable to be applied currently.
> The only recently postponed issue is CVE-2019-13391/CVE-2019-13308. I did not
> upload this patch because it is big, not really understandable, and
> undocumented. Upstream did not answer my questions yet.
> I'd just remove imagemagick from dla-needed and wait some time, until
> upstream
> clarifies this patch. If he doesn't, I'd just mark this no-dsa.

can you rather document imagemagick (by adding a short version of the above
as a note) in dla-needed.txt so that the person at front desktop knows.

Yes I can do that, but it sounds like a misusage of dla-needed to me. Does it
make sense to have a dla-needed entry for imagemagick if we don't intend to
release any DLA for these issues (yet)?

It may make sense or it may not. Either a CVE should be worked upon or it should not (for whatever reason). (see below)

If you think that imagemagick has many issues, we should ignore for jessie
LTS, would it be appropriate to tag them as ignored in data/CVE/list?

Otherwise they pop up again and again in lts-cve-triage.py.

I have done some more triage. However please note that these issues pop up in
lts-cve-triage because they are still open in stretch. The security team is
currently working on imagemagick, so this should be fixed in the next weeks.

Ok, great. Thanks for checking once more. Sylvain recently added some changes to lts-cve-triage.py that show the no-dsa tags for each CVE.

If an issue is still open for stretch, but tagged differently for jessie, then these tags help me to ignore those CVEs for LTS when triaging:

* imagemagick https://security-tracker.debian.org/tracker/source-package/imagemagick - CVE-2019-12977 https://security-tracker.debian.org/tracker/CVE-2019-12977 ignored - CVE-2019-12978 https://security-tracker.debian.org/tracker/CVE-2019-12978 ignored - CVE-2019-12979 https://security-tracker.debian.org/tracker/CVE-2019-12979 ignored - CVE-2019-13300 https://security-tracker.debian.org/tracker/CVE-2019-13300 ignored - CVE-2019-13307 https://security-tracker.debian.org/tracker/CVE-2019-13307 ignored - CVE-2019-13308 https://security-tracker.debian.org/tracker/CVE-2019-13308 postponed - CVE-2019-13391 https://security-tracker.debian.org/tracker/CVE-2019-13391 postponed - CVE-2019-13454 https://security-tracker.debian.org/tracker/CVE-2019-13454 ignored - CVE-2019-14981 https://security-tracker.debian.org/tracker/CVE-2019-14981 postponed


I find that the below package / CVE states make front-desk life easy and clear:

  - package has been claimed
  - a CVE is tagged with <ignored>
  - a CVE is tagged with <not-affected>
  - a CVE is vulnerable
  - a CVE is fixed

The <postponed> tag is a bit of a dodgy statement here (it should be worked upon, but later when some other more severe issue pops up for the same package, or when some feedback is received, or when <what-ever>).

So, a <postponed> tag can in fact mean anything. When being at front-desk you have to dig into the details (security-tracker comments, older mailing list threads, etc.) to understand the nature of individual <postponed> tags. This is awkward IMHO.

Regarding imagemagick, CVE-2019-13308 and CVE-2019-13391 are postponed, because upstream feedback is required. CVE-2019-14981 is postponed until something more severe needs fixing.

IMHO, CVE-2019-13308 and CVE-2019-13391 are a good reason for keeping imagemagick in dla-needed.txt and also keeping it claimed by the person who sent out the requests for feedback to upstream.


mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgpcbcPdQu_C_.pgp
Description: Digitale PGP-Signatur

Reply to: