Hi, Adam Borowski writes:
> On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote: >> Adam Borowski writes: >> > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: >> >> Actually, imagemagick is one of worst offenders here. The version in >> >> Jessie >> >> is at deb8u9, and every security update tends to mention ~20 CVEs. >> > >> > ... aaaand, just hours later, here comes deb8u10: >> > >> > # Package : imagemagick >> > # CVE ID : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501 >> > # CVE-2017-10928 CVE-2017-11141 CVE-2017-11170 >> > # CVE-2017-11360 CVE-2017-11188 >> > # Debian Bug : 863126 867367 867778 867721 864273 864274 867806 868264 >> > # 868184 867810 867808 867811 867812 867896 867798 867821 >> > # 867824 867825 867826 867893 867823 867894 867897 >> >> Totally untested, but you might try to replace imagemagick with >> graphicsmagick. It's at deb8u ;-) My bad, graphicsmagick is at deb8u2. Are the security conscious just picking on imagemagick or graphicsmagick is less susceptible? Dunno. > It's a fork, so it suffers from same vulnerabilities as imagemagick. It > might get better only after someone rewrites everything from scratch (in > which case there'll be a whole new set of bugs). Devuan is a fork of Debian. I think we both agree that the former suffers at least one problem less than the latter ;-) By the same or at least a very similar token, I would hope that perhaps graphicsmagick suffers from a few less vulnerabilities than imagemagick. True, I have no hard data to back that up. It was just a suggestion. I've used the CLI and library C/C++ APIs of both in the past, and through that have developed a better opinion of graphicsmagick. It was forked 15(!) years ago. ImageMagick has had a reputation of willy-nilly changing CLI and library APIs as well as image processing results between versions. GraphicsMagick has on the whole been a lot more stable in that respect so I would *guess* that its developers have been able to shake out most vulnerabilities over the years without introducing many new ones. Just a thought, -- Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Software https://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
