Thanks. Are you upgrading the regular Debian Netpbm package -- the one that hasn't been upgraded in over 20 years -- or something else?
I have adopted the netpbm-security-scripts.patch code into the current Development release in Sourceforge. I don't believe netpbm-CVE-2017-2587.patch has any effect applied to Netpbm 10.97 because it tests some pointers for null that cannot be null. The "Description" at the top of the patch file says it fixes a problem that existed before 10.61. Most of netpbm-security-code.patch has no effect because Netpbm checks the inputs to arithmetic for "computable size" long before the arithmetic is done. For example, the library routine that reads the header of a Netpbm image never returns a width value so great that adding 1 to it would cause it to overflow an "int". Thus, there is no need to check for overflow everywhere we code "width+1". (I know this is not as robust as checking for overflow at the site of the arithmetic, but I like it better because it saves cluttering the code). Those early checks for "computable size" did not exist when this patch was originally written, by the way. Arithmetic overflow possibilities were plenty in those days. I'm sure some of this large patch still prevents overflow, but probably like you, I don't have time to analyze every line to know for sure. netpbm-ppmfadeusage.patch is Debian-specific because it says to use a 'man ppmfade' command and since the Sourceforge package does not include man pages, this won't work for everyone. (I not that it's of trivial value and inconsistent with other programs in Netpbm, so I'm curious as to how it warranted a Debian patch). I' also skipping python3.patch, because it is also probably Debian-specific and I'm not sure how that might affect other systems. -- Bryan Henderson San Jose, California -- Pkg-phototools-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-phototools-devel
