Hi Ola, El 10/04/24 a las 22:08, Ola Lundqvist escribió: > Hi all > > Sorry for late reply. It took me too long today to answer the CVE > triaging discussion. Now to this issue. > > Regarding the fedora patches. The patches seem to help for those > specific issues they solve. > > My intention for claiming the package was to go through the CVEs and > mark them with postponed or similar. > When I'm done with that maybe I will start to fix things, but I > claimed it just to avoid double work when going through the issues. > > I'll start with that now and I hope I can release the package when I'm > done with that. I'll re-claim it when/if I think they are worth > fixing.
IMHO, claiming a package means working at addressing the issues, fixing them. (Re)Triaging of course can/must be done, for example to confirm if the issue affects or not specific debian releases. So it reads weird to claim a package to mark issues as postponed. > What is clear after checking all reverse dependencies is that all > software packages using freeimage library are of the "tool" type. You > run it with human interaction and the user using the tool should know > the input. This reduces the severity of the problems. I am afraid I completely disagree with that. Malicious actors could take advantage of security flaws (such as buffer overflows) in interactive tools to, e.g., run arbitrary code, cause DoSs, etc. This is true for PDFs readers, image processing tools, and etc. Part of our mission is to help Debian users to have secure systems, and this includes interactive tools. -- Santiago
signature.asc
Description: PGP signature
