Hello, sorry for the delay...
On Tue, 31 Jan 2017, Luciano Bello wrote: > On Thursday, 26 January 2017 21:05:46 EST Ola Lundqvist wrote: > > > I started to work on fixing jbig2dec/wheezy for > > > https://security-tracker.debian.org/tracker/CVE-2016-9601 but > > > the patch that allegedly fixes the current issue is rather invasive > > > and while looking at the git history you will quickly see > > > that allmost all the changes since the version that we have in wheezy and > > > jessie are potential security issues that were never assigned any CVE: > > > http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog > > Hi Ola and Raphael, > First, sorry for delay in the answer. > About the jbig2dec, how can be sure that we are not breaking user > programs linked to the lib? Honestly, given the very low number of rdeps in Debian, I doubt that we have many users having custom programs built against that library. Upstream never bumped the SONAME so at least they act as if all the changes made so far are backwards compatible. So I would suggest to not spend too much time on this aspect and only consider whether the rdeps in Debian are working well enough. That said I'm not convinced upstream is following best practices for libraries very well but that is partly due because they see the library as a very tightly coupled with the two rdeps. Quoting https://ghostscript.com/jbig2dec.html : « This is a decoder only implementation, and it's primary use is in Ghostscript and MuPDF for decoding JBIG2 streams in PDF files. Thus its primary focus is the set of JBIG2 features supported in PDF. » So as long as we ensure that we don't break Ghostscript and MuPDF I think we are good enough. Shall I go ahead and prepare some test packages? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
