CVE-2017-6311

[Salvatore Bonaccorso]

Hi Michael,

On Wed, Mar 22, 2017 at 07:05:28AM +0100, Michael Biebl wrote:
> Am 22.03.2017 um 06:39 schrieb Salvatore Bonaccorso:
> 
> >>    * Add new libgdk-pixbuf2.0-bin package to install thumbnailer
> >>      binary and metadata needed by gnome-desktop 3.23 (LP: #1665602)
> >>    * Have libgdk-pibxuf2.0-0 recommend libgdk-pixbuf2.0-bin
> >>    * debian/rules: Change dh_install's --list-missing to --fail-missing to
> >>      catch this issue sooner next time
> > 
> > I had no time to actually check the done upload, but can you please
> > double check that with this upload CVE-2017-6311,
> > https://bugzilla.gnome.org/show_bug.cgi?id=778204 is not opened up?
> 
> Thanks for the heads up!
> Looking at https://security-tracker.debian.org/tracker/CVE-2017-6311,
> I'd say the version information is slighly incorrect.
> stretch,sid is marked as affected but we do not actually build/enable
> the thumbnailing code there.

Thanks for the fast reply. To clarify the above: it is actually
correct for our tracking, since we track issues in the source code.
*BUT* given the build code iss not present up to now in strech and sid
in any built binary packages the severity is so called 'unimportant'.

See:
https://security-team.debian.org/security_tracker.html#severity-levels

"""
unimportant: This problem does not affect the Debian binary package,
e.g., a vulnerable source file, which is not built, a vulnerable file
in doc/foo/examples/, PHP Safe mode bugs, path disclosure (doesn't
matter on Debian). All "non-issues in practice" fall also into this
category, like issues only "exploitable" if the code in question is
setuid root, exploits which only work if someone already has
administrative privileges or similar. This severity is also used for
vulnerabilities in packages which are not covered by security support.
"""

Hope that help!

My concern actually is not that once the experimental version would
enter unstable, and the issue would not be fixed, then the status
change here.

Salvatore