[Pkg-phototools-devel] Please verify patches applied to Debian package

[Bryan Henderson]

Thanks.  Are you upgrading the regular Debian Netpbm package -- the one that
hasn't been upgraded in over 20 years -- or something else?

I have adopted the netpbm-security-scripts.patch code into the current
Development release in Sourceforge.

I don't believe netpbm-CVE-2017-2587.patch has any effect applied to Netpbm
10.97 because it tests some pointers for null that cannot be null.  The
"Description" at the top of the patch file says it fixes a problem that
existed before 10.61.

Most of netpbm-security-code.patch has no effect because Netpbm checks the
inputs to arithmetic for "computable size" long before the arithmetic is done.
For example, the library routine that reads the header of a Netpbm image never
returns a width value so great that adding 1 to it would cause it to overflow
an "int".  Thus, there is no need to check for overflow everywhere we code
"width+1".  (I know this is not as robust as checking for overflow at the site
of the arithmetic, but I like it better because it saves cluttering the code).

Those early checks for "computable size" did not exist when this patch was
originally written, by the way.  Arithmetic overflow possibilities were plenty
in those days.

I'm sure some of this large patch still prevents overflow, but probably like
you, I don't have time to analyze every line to know for sure.

netpbm-ppmfadeusage.patch is Debian-specific because it says to use a 'man
ppmfade' command and since the Sourceforge package does not include man pages,
this won't work for everyone.  (I not that it's of trivial value and
inconsistent with other programs in Netpbm, so I'm curious as to how it
warranted a Debian patch).

I' also skipping python3.patch, because it is also probably Debian-specific
and I'm not sure how that might affect other systems.

-- 
Bryan Henderson                                   San Jose, California