On 08/01/2018 01:46 AM, Daniel P. Berrangé wrote: > The list of ImageMagick CVEs is horrific - 59 open CVEs - for something > that is often going to be used in a scenario where it is fed untrustworthy > images. exiv2 is pretty concerning too with 19 open CVEs, again for > something often used with untrustworthy input images :-(
Yeah, but this is a good example. I haven't looked at the current crop, but I did an update for ImageMagick a while back that fixed a gigantic ton of CVE's. On looking at them however, they were almost all filed from someone running a fuzzer over the source. Upstream then fixed the issues which is great, but in many cases they noted it was very hard/impossible to make an expolit out of them for various reasons. So, just seeing 59 CVE's doesn't tell the whole story. I'm not sure what the answer is here, I'm pretty sure there's no one simple answer. Perhaps a combo of concentrating on the important ones and making things more visible (generate a list of the important ones asking for help once a cycle?). kevin
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/GGFEGN3KP4AK6O7PFEK3XKM4Q23AIGSH/
