On Thu, Mar 09, 2017 at 12:10:15PM +0100, Raphael Hertzog wrote: > Hello, > > sorry for the delay... > > On Tue, 31 Jan 2017, Luciano Bello wrote: > > On Thursday, 26 January 2017 21:05:46 EST Ola Lundqvist wrote: > > > > I started to work on fixing jbig2dec/wheezy for > > > > https://security-tracker.debian.org/tracker/CVE-2016-9601 but > > > > the patch that allegedly fixes the current issue is rather invasive > > > > and while looking at the git history you will quickly see > > > > that allmost all the changes since the version that we have in wheezy > > > > and > > > > jessie are potential security issues that were never assigned any CVE: > > > > http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog > > > > Hi Ola and Raphael, > > First, sorry for delay in the answer. > > About the jbig2dec, how can be sure that we are not breaking user > > programs linked to the lib? > > Honestly, given the very low number of rdeps in Debian, I doubt that we > have many users having custom programs built against that library.
Agreed. > Upstream never bumped the SONAME so at least they act as if all the > changes made so far are backwards compatible. So I would suggest to not > spend too much time on this aspect and only consider whether the rdeps in > Debian are working well enough. > > That said I'm not convinced upstream is following best practices > for libraries very well but that is partly due because they see the > library as a very tightly coupled with the two rdeps. Quoting > https://ghostscript.com/jbig2dec.html : > « This is a decoder only implementation, and it's primary use is in > Ghostscript and MuPDF for decoding JBIG2 streams in PDF files. Thus its > primary focus is the set of JBIG2 features supported in PDF. » > > So as long as we ensure that we don't break Ghostscript and MuPDF I think > we are good enough. > > Shall I go ahead and prepare some test packages? Please do. Cheers, Moritz
