[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

What to do with jbig2dec in wheezy and jessie

Hello,

I started to work on fixing jbig2dec/wheezy for
https://security-tracker.debian.org/tracker/CVE-2016-9601 but
the patch that allegedly fixes the current issue is rather invasive
and while looking at the git history you will quickly see
that allmost all the changes since the version that we have in wheezy and
jessie are potential security issues that were never assigned any CVE:
http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog

- Many CERT reported issues
- Many fuzzing related bugs
- Many valgrind errors
- Many heap overflow/underflow

Thus I wonder if the proper approach is not to update the version
that we have in wheezy/jessie to be in sync with what's in stretch/sid.

The number of reverse dependencies is rather low and we should be able
to ensure that they are still working as expected.

I can only do that in wheezy if we also do it in jessie, so I seek the
input of the security team as well. I can prepare the update for both
suites.

Let me know your thoughts.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: