Re: About the security issues affecting imagemagick in Jessie

To: Mike Gabriel <sunweaver@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: About the security issues affecting imagemagick in Jessie
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 2 Sep 2019 14:53:04 +0200
Message-id: <[🔎] 20190902125304.r72o2oxpxumkr24m@behemoth.owl.eu.com.local>
In-reply-to: <[🔎] 20190902094629.Horde.4Ymqy_j6MHbf0Nrzj9sE6-9@mail.das-netzwerkteam.de>
References: <20190830085102.GA14126@minobo.das-netzwerkteam.de> <20190830130303.3gtjzrlaaqcmin3z@behemoth.owl.eu.com.local> <20190830133628.Horde.vEfuxPzPhZ6w6E7y9IRwd7D@mail.das-netzwerkteam.de> <20190831222624.glbr2btufw5alqc2@behemoth.owl.eu.com.local> <[🔎] 20190902094629.Horde.4Ymqy_j6MHbf0Nrzj9sE6-9@mail.das-netzwerkteam.de>

Hi Mike,

> I find that the below package / CVE states make front-desk life easy and
> clear:
> 
>   - package has been claimed
>   - a CVE is tagged with <ignored>
>   - a CVE is tagged with <not-affected>
>   - a CVE is vulnerable
>   - a CVE is fixed

Should we completely stop using <no-dsa> then?

This makes sense for the security team, but is it useful in the LTS case?

I'm not sure myself. I usually use no-dsa when a CVE is minor but I didn't
take a final decision (ignore it/postpone it) yet (not enough time, no
"need" to take a final decision, can be revisited).

> The <postponed> tag is a bit of a dodgy statement here (it should be worked
> upon, but later when some other more severe issue pops up for the same
> package, or when some feedback is received, or when <what-ever>).
> 
> So, a <postponed> tag can in fact mean anything. When being at front-desk
> you have to dig into the details (security-tracker comments, older mailing
> list threads, etc.) to understand the nature of individual <postponed> tags.
> This is awkward IMHO.

I don't think so. <postponed> entries don't have to be revisited unless new
issues pop up for which we want to release a DLA.

Most of the time when I tag <postponed> I mean "this is really minor,
preparing an update just for that would be wasting our time.  regression
risks are very low though, so let's ship it in an future update".

> Regarding imagemagick, CVE-2019-13308 and CVE-2019-13391 are postponed,
> because upstream feedback is required. CVE-2019-14981 is postponed until
> something more severe needs fixing.
>
> IMHO, CVE-2019-13308 and CVE-2019-13391 are a good reason for keeping
> imagemagick in dla-needed.txt and also keeping it claimed by the person who
> sent out the requests for feedback to upstream.

Regarding CVE-2019-13308 and CVE-2019-13391, I meant "revisit these when
preparing the next update, as of now I don't want to apply this
undocumented, large, potentially incomplete patch".

Also, the issue is uncritical, no hurry. We can just take a look at this
when new issues pop up for imagemagick.

This is borderline, so let's stop wasting time: we can keep a dla-needed
entry with appropriate comments for both front desk and regular lts
contributors.

cheers,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Re: About the security issues affecting imagemagick in Jessie
  - From: Mike Gabriel <sunweaver@debian.org>

Prev by Date: Re: About the security issues affecting imagemagick in Jessie
Next by Date: LTS report for July 2019 - Abhijith PA
Previous by thread: Re: About the security issues affecting imagemagick in Jessie
Next by thread: LTS report for July 2019 - Abhijith PA
Index(es):
- Date
- Thread