On Wed, Apr 10, 2024 at 12:17:33PM -0400, Roberto C. Sánchez wrote: > On Mon, Apr 08, 2024 at 07:56:40PM +0300, Adrian Bunk wrote: > > On Mon, Apr 08, 2024 at 05:34:47PM +0200, Moritz Muehlenhoff wrote: > > > > > > So a useful next step would be to break those reports down into separate > > > bug reports and file them there so that upstream actually learns about > > > them. > > > > I don't think that makes much sense. > > > > When I checked, the last activity from upstream in the bug tracker was > > a year ago. > > > > Some of the older CVEs are fixed in the upstream VCS, but there are > > unfixed ones in the bug tracker going back to 2020. > > > > The 2024 CVEs are 21 buffer overflows and 2 NULL pointer dereferences, > > there is likely a lot of low hanging fruit one could fix (and then > > forward upstream) when spending 2 or 3 days on the package. > > > Even if upstream is dead, dormant, or not acting on bug reports, I agree > with Moritz that submitting the reports upstream (to SourceForge) is > still good and something that we should make an effort to do. > > First, the bugs are in fact upstream bugs and if we can break them down, > identify, fix them, and then forward the fixes (as patches or PRs) > upstream, others will be able to find the issues and the related fixes. > Second, it seems like we would have to do all of those things (except > the "forward to upstream" part) in any case to fix the CVEs for LTS, so > the "forward to upstream" step is a only a very small additional step.
My point was that an opposite approach of doing only "file upstream bugs and wait for upstream to fix the CVEs" is unlikely to have a positive outcome in this case. Forwarding fixes upstream is of course desirable, even when upstream is dead. > > For me it was an "I don't want to do that right now" and I didn't work > > on the package at that point, but I don't see a technical reason against > > someone fixing the CVEs. > > So, whoever is working on freeimage (Ola?) should take into account that > this is part of what needs to be done. > > Regards, > > -Roberto cu Adrian