Re: What to do with jbig2dec in wheezy and jessie
Hi
This is a very good question that I do not have a good answer to.
It depends on:
- Whether there are good regression test suites or not. If it exists
and it pass then we are on a safer side.
- What the changes are and whether we can oversee that. If they are
too intrusive then that is not a good way forward.
- Trust. If jbig2dec maintainers have a reputation to never break
legacy, then we can trust it more.
- Manual testing of course but that takes a lot of time.
Best regards
// Ola
On 1 February 2017 at 05:48, Luciano Bello <luciano@debian.org> wrote:
> On Thursday, 26 January 2017 21:05:46 EST Ola Lundqvist wrote:
>> > I started to work on fixing jbig2dec/wheezy for
>> > https://security-tracker.debian.org/tracker/CVE-2016-9601 but
>> > the patch that allegedly fixes the current issue is rather invasive
>> > and while looking at the git history you will quickly see
>> > that allmost all the changes since the version that we have in wheezy and
>> > jessie are potential security issues that were never assigned any CVE:
>> > http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog
>
> Hi Ola and Raphael,
> First, sorry for delay in the answer.
> About the jbig2dec, how can be sure that we are not breaking user programs
> linked to the lib?
>
> /l
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: