Re: How to handle freeimage package
On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Apr 08, 2024 at 01:59:55PM +0200, Sylvain Beucler wrote:
> > Hi,
> >
> > I think this requires a bit of coordination:
> > - the package is basically dead upstream, there hasn't been a fix in the
> > official repos, neither Debian or other distros attempted to fix them
>
> Some of the past fixes got addressed by upstream. But the recent people
> who run fuzzers never reported them upstream to the rather byzantine
> Sourceforge bug tracker and only posted it some unrelated tree on
> Github to get a CVE assigned.
>
> So a useful next step would be to break those reports down into separate
> bug reports and file them there so that upstream actually learns about
> them.
I don't think that makes much sense.
When I checked, the last activity from upstream in the bug tracker was
a year ago.
Some of the older CVEs are fixed in the upstream VCS, but there are
unfixed ones in the bug tracker going back to 2020.
The 2024 CVEs are 21 buffer overflows and 2 NULL pointer dereferences,
there is likely a lot of low hanging fruit one could fix (and then
forward upstream) when spending 2 or 3 days on the package.
For me it was an "I don't want to do that right now" and I didn't work
on the package at that point, but I don't see a technical reason against
someone fixing the CVEs.
> Cheers,
> Moritz
cu
Adrian
Reply to: