Hi again Adding the maintainer to this thread. :-)
// Ola On 1 May 2017 at 22:13, Ola Lundqvist <[email protected]> wrote: > Hi again > > I have now looked through the CVEs for libpodofo and found that all > remaining issues in wheezy except one are of the DoS class. > > - Almost all are null pointer dereference > - One is a heap-over-read causing a crash > - One is unspecificed. So that one leaves some more investigation. > > I agree that we have a tool that allow pdf manipulation and that one can > crash. However the service that run that tool should not crash because of > that. So this means that the pdf-manipulation will fail but the service > should still run. If the service do not handle tool failure that should in > most cases be seen as a buggy service. > > This leaves me to think that we should mark all of them (with the > exception of one) as a no-dsa minor issue. > > Anyone disagree? > > Someone can of course still look into fixing these issues. > > Best regards > > // Ola > > On 30 April 2017 at 23:44, Ola Lundqvist <[email protected]> wrote: > >> Hi Markus >> >> Good points. Thank you for the advice. >> >> Best regards >> >> // Ola >> >> On 30 April 2017 at 23:34, Markus Koschany <[email protected]> wrote: >> >>> Hi Ola, >>> >>> Am 30.04.2017 um 22:00 schrieb Ola Lundqvist: >>> > Hi Markus >>> > >>> > I think we mostly agree on things here. Good to know. >>> > >>> > There are some minor comments I have though: >>> > 1) There are to my knowledge two types of "no-dsa". One "Minor issue >>> > will be fixed in next point release" and another "Minor issue". I have >>> > been told that if security team decides for a "minor issue" LTS should >>> > in most cases do the same. However if it is a "minor issue will be >>> fixed >>> > in next point release" we should probably fix it as usual. >>> >>> I think everyone who triages packages has to make a decision from time >>> to time. It can be right or wrong. In my opinion we should not blindly >>> follow "no-dsa" tags from the security team but instead use the >>> opportunity to doublecheck issues and make up our own mind. Nevertheless >>> to a very high degree the security team's decisions are reasonable of >>> course and often when I triage packages I follow Jessie too. >>> >>> My point is that "no-dsa" is not final and absolute. If you catch >>> yourself spending ten hours on a single issue and end up backporting >>> large portions of the latest upstream release for a no-dsa bug, it might >>> not really be the best thing to do. But if the fix is straightforward >>> and manageable and there is even a more serious bug, it shouldn't be >>> much of an issue to fix the no-dsa bugs as well. Let's face it most of >>> the Jessie no-dsa CVE won't be fixed in a point release unless we do it >>> now or in the next LTS. >>> >>> > 2) Regarding DoS class. I agree that this can be serious, but to me it >>> > looks like there are no actual service software that depend on this >>> > library. Just desktop software. We could however consider custom-built >>> > software that directly depend on this library. I find that to be a >>> > rather unlikely situation. Still it can be considered. >>> >>> I consider desktop software like scribus or calibre to be valid >>> consumers of libpodofo and there is even libpodofo-utils which includes >>> tools to manipulate PDF files. The latter is suitable for use on server >>> systems. I think we shouldn't discriminate between server and desktop >>> though. >>> >>> > Apart from these comments I agree with you. >>> > >>> > One question to you. Will you look further into fixing the rest of the >>> > problems? In that case I can add the dla-needed.txt file with your name >>> > on it. :-) >>> >>> I have talked to Mattia, the maintainer of libpodofo. He intends to fix >>> these bugs in unstable and Jessie as well as soon as upstream released >>> more updates. He will be able to reuse my patches for Jessie. At the >>> moment I don't intend to assign myself to libpodofo again because >>> upstream is rather slow with fixing those CVEs. Maybe later but if >>> someone else wants to work on it now, please go ahead. >>> >>> Cheers, >>> >>> Markus >>> >>> >>> >>> >> >> >> -- >> --- Inguza Technology AB --- MSc in Information Technology ---- >> / [email protected] Folkebogatan 26 \ >> | [email protected] 654 68 KARLSTAD | >> | http://inguza.com/ Mobile: +46 (0)70-332 1551 >> <+46%2070%20332%2015%2051> | >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> --------------------------------------------------------------- >> >> > > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > / [email protected] Folkebogatan 26 \ > | [email protected] 654 68 KARLSTAD | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 > <+46%2070%20332%2015%2051> | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --------------------------------------------------------------- > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
