[Pkg-phototools-devel] Bug#854978: closed by Debian FTP Masters <ftpmaster at ftp-master.debian.org> (reply to Andreas Tille <tille at debian.org>) (Bug#854978: fixed in netpbm-free 2:10.97.00-1)

Salvatore Bonaccorso carnil at debian.org
Sun Mar 13 21:11:48 GMT 2022 

Hi Andreas,

Thanks for your promt reply!

On Sun, Mar 13, 2022 at 10:02:15PM +0100, Andreas Tille wrote:
> Hi Salvatore,
> 
> Am Sun, Mar 13, 2022 at 09:33:01PM +0100 schrieb Salvatore Bonaccorso:
> > > On Sun, Mar 13, 2022 at 10:24:16AM +0000, Debian Bug Tracking System wrote:
> > > >      CVE-2017-2579, CVE-2017-2580 and CVE-2017-2581 before 10.61 thus
> > > >       - Closes: #854978
> > > 
> > > The before 10.61 is just because of the CVE description right? Note we
> > > cannot rely on the CVE description, because they might reflect a
> > > specific writing up in time and other aspects.
> > > 
> > > Do we have an upstream revision indicating that those issues are
> > > really fixed?
> > 
> > For example, CVE-2017-2581 is probably
> > https://sourceforge.net/p/netpbm/code/2989/ ? (which would only be in
> > 10.78.05). So one really needs to be careful with description
> > information and verify if those are true. If following the SuSE triage
> > then *possibly* for two issues the fix is revision 2821 upstream,
> > while for CVE-2017-2581 it would be the above.
> 
> I admit I just trusted the description without checking the code in
> detail.  If you think this is wrong I'm perfectly fine if you reopen the
> bug.

I will try to check the above and see if we can be confident enough
that it's fixed in both r2821 for two CVEs and r2989 for
CVE-2017-2581. I do not know yet if this is wrong or still true, so
maybe if we want to play on safe side it might be wise to reopen the
bug until confirmed. But I defintively won't go wasting your time as
well. We did keept the issues actually as "undetermined" in the
security-tracker because it was hard enough to track down the status
back on triage time.

> > Thanks for looking into the update!
> 
> It was obviously very long overdue and I did my best in the limited
> time span I was able to spent on this package.

Ack! 

Regards,
Salvatore

More information about the Pkg-phototools-devel mailing list