Hi,After the bad experience of those “security” patches flying around, I would like to establish a clear process to deal with such stuff. I think security issues are real and should be addressed. And I prefer to address by myself, so you would know who to blame if anything fails.
The proposed process is quite simple, if you detect a potential security issue and are able to create a patch, please send me the patch to analyse. I have an extensive test bed of apps and utilities using lcms, so I can check if all those goes fine.
Please avoid advisories if possible, as doing that hints how to use the flaw for malicious use. Credits to vulnerability busters will be given on each release.
After the patch proves to be harmless, I will send to the mailing list a signed mail with the patch attached. That is, you got a patch from upstream that upstream claims to be reasonably tested. I will apply the same checks that I do before a normal release. Please understand that this is a lot of work, and obviously it can fail as well, so the “no guarantee” clause of MIT license applies.
If you choose to redistribute such patches, please make sure to include the mail, or at least the MIT license. There are legal issues on such patches and there have been cases of people being sued by distributing things like that. By including the MIT license you prevent to get in legal trouble.
I’ve picked a report from Gentoo team, which may well serve as a test. You would not expect to have many of those reports, at least of such low severity. The issue would almost never happen because it implies a crafted monochrome profile used as output, but as said this is intended to test the process.
See next a signed mail with the patch and a description of the issue. If you have any feedback of this process, please let me know.Many thanks to Robert Buchholz, from Gentoo for suggesting the signed mail approach and providing the patch. I don't know this time who discovered the flaw, so I apologize for not including him in the copyright. If you are the author, please let me know and credits will be given in next lcms release.
Best regards Marti Maria The LittleCMS project http://www.littlecms.com
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ Lcms-user mailing list Lcms-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lcms-user
