[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do with jbig2dec in wheezy and jessie


With my LTS front desk hat on I think this is worth investigating.
However as you write. We have to get the regular security team on
board first.

// Ola

On 26 January 2017 at 15:14, Raphael Hertzog <hertzog@debian.org> wrote:
> Hello,
> I started to work on fixing jbig2dec/wheezy for
> https://security-tracker.debian.org/tracker/CVE-2016-9601 but
> the patch that allegedly fixes the current issue is rather invasive
> and while looking at the git history you will quickly see
> that allmost all the changes since the version that we have in wheezy and
> jessie are potential security issues that were never assigned any CVE:
> http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog
> - Many CERT reported issues
> - Many fuzzing related bugs
> - Many valgrind errors
> - Many heap overflow/underflow
> Thus I wonder if the proper approach is not to update the version
> that we have in wheezy/jessie to be in sync with what's in stretch/sid.
> The number of reverse dependencies is rather low and we should be able
> to ensure that they are still working as expected.
> I can only do that in wheezy if we also do it in jessie, so I seek the
> input of the security team as well. I can prepare the update for both
> suites.
> Let me know your thoughts.
> --
> Raphaël Hertzog ◈ Debian Developer
> Support Debian LTS: https://www.freexian.com/services/debian-lts.html
> Learn to master Debian: https://debian-handbook.info/get/

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: