Re: How to handle freeimage package

To: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
Subject: Re: How to handle freeimage package
From: Adrian Bunk <bunk@debian.org>
Date: Wed, 10 Apr 2024 20:08:07 +0300
Message-id: <[🔎] ZhbHd2dFQh7ZJjNh@localhost>
In-reply-to: <[🔎] Zha7nR1bGPTgm_ym@connexer.com>
References: <[🔎] CABY6=0=j5sgtEAhP-_3D1X-miXjjbp=SYD_QX8-runfBKJfBpQ@mail.gmail.com> <[🔎] 788d220f-feb9-43fb-9d19-5520b3ffca0e@beuc.net> <[🔎] 20240408153447.GA29297@inutil.org> <[🔎] ZhQhyLV553ZN6Fv3@localhost> <[🔎] Zha7nR1bGPTgm_ym@connexer.com>

On Wed, Apr 10, 2024 at 12:17:33PM -0400, Roberto C. Sánchez wrote:
> On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote:
> > On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote:
> > > 
> > > So a useful next step would be to break those reports down into separate
> > > bug reports and file them there so that upstream actually learns about
> > > them.
> > 
> > I don't think that makes much sense.
> > 
> > When I checked, the last activity from upstream in the bug tracker was
> > a year ago.
> > 
> > Some of the older CVEs are fixed in the upstream VCS, but there are 
> > unfixed ones in the bug tracker going back to 2020.
> > 
> > The 2024 CVEs are 21 buffer overflows and 2 NULL pointer dereferences,
> > there is likely a lot of low hanging fruit one could fix (and then
> > forward upstream) when spending 2 or 3 days on the package.
> > 
> Even if upstream is dead, dormant, or not acting on bug reports, I agree
> with Moritz that submitting the reports upstream (to SourceForge) is
> still good and something that we should make an effort to do.
> 
> First, the bugs are in fact upstream bugs and if we can break them down,
> identify, fix them, and then forward the fixes (as patches or PRs)
> upstream, others will be able to find the issues and the related fixes.
> Second, it seems like we would have to do all of those things (except
> the "forward to upstream" part) in any case to fix the CVEs for LTS, so
> the "forward to upstream" step is a only a very small additional step.

My point was that an opposite approach of doing only
"file upstream bugs and wait for upstream to fix the CVEs"
is unlikely to have a positive outcome in this case.

Forwarding fixes upstream is of course desirable,
even when upstream is dead.

> > For me it was an "I don't want to do that right now" and I didn't work
> > on the package at that point, but I don't see a technical reason against
> > someone fixing the CVEs.
> 
> So, whoever is working on freeimage (Ola?) should take into account that
> this is part of what needs to be done.
> 
> Regards,
> 
> -Roberto

cu
Adrian

Reply to:

Follow-Ups:
- Re: How to handle freeimage package
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- How to handle freeimage package
  - From: Ola Lundqvist <ola@inguza.com>
- Re: How to handle freeimage package
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: How to handle freeimage package
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: How to handle freeimage package
  - From: Adrian Bunk <bunk@debian.org>
- Re: How to handle freeimage package
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: How to handle freeimage package
Next by Date: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Previous by thread: Re: How to handle freeimage package
Next by thread: Re: How to handle freeimage package
Index(es):
- Date
- Thread