Re: What to do with jbig2dec in wheezy and jessie
Hi
With my LTS front desk hat on I think this is worth investigating.
However as you write. We have to get the regular security team on
board first.
// Ola
On 26 January 2017 at 15:14, Raphael Hertzog <hertzog@debian.org> wrote:
> Hello,
>
> I started to work on fixing jbig2dec/wheezy for
> https://security-tracker.debian.org/tracker/CVE-2016-9601 but
> the patch that allegedly fixes the current issue is rather invasive
> and while looking at the git history you will quickly see
> that allmost all the changes since the version that we have in wheezy and
> jessie are potential security issues that were never assigned any CVE:
> http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog
>
> - Many CERT reported issues
> - Many fuzzing related bugs
> - Many valgrind errors
> - Many heap overflow/underflow
>
> Thus I wonder if the proper approach is not to update the version
> that we have in wheezy/jessie to be in sync with what's in stretch/sid.
>
> The number of reverse dependencies is rather low and we should be able
> to ensure that they are still working as expected.
>
> I can only do that in wheezy if we also do it in jessie, so I seek the
> input of the security team as well. I can prepare the update for both
> suites.
>
> Let me know your thoughts.
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: https://www.freexian.com/services/debian-lts.html
> Learn to master Debian: https://debian-handbook.info/get/
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: