Graeme Gill, 2009-04-04 10:33:00 +1100 : > Roland Mas wrote: >> Graeme, I'd like your opinion on this patch. It didn't apply cleanly > > Well, I find it interesting that whoever originally noticed problems, > didn't bother to contact me first, all they seemed interested in was > their Linux distro. (I'm coming to the conclusion this is pretty > typical behavior, judging from similar responses to patches to > xli. Courtesy in regard to upstream seems to be completely lacking, > never mind concern about any other users of the library). I can't say anything for sure for this particular case since I'm not involved in Ghostscript, but from my experience this kind of behaviour is the exception rather than the norm. I'll drop a note to the Ghostscript maintainers in Debian and the Debian security team about that, though. On the other hand, I believe such a situation could be avoided if icclib were not copied in various projects' code but linked dynamically. There would be fewer copies of the code around, and one canonical place to get it and fix it that everybody would benefit from. In this context, may I suggest that you release icclib (or icclib4 when it's ready) as a separate package? If you don't feel like it (and I won't blame you, you're the upstream author), then I'll probably split the Debian binary package off so Ghostscript can link against the lib coming from Argyll, but that will only apply in Debian and derivatives... > The general issue addressed is probably fair enough, and was one > motivating factor in attempting to develop icclib4, the (still > unfinished, unreleased) ICCV4 version of icclib that has been written > with security against crafted files particularly in mind. One of the > things I realized in writing it, was that although in icclib I had > attempted to guard against wrong lengths and malloc failures, I hadn't > understood the implications of integer overflow. The icclib4 approach > is rather more robust than the patches against the current icclib, > never the less, I'll attempt to audit the changes and update the > code. (I note that Marti Maria has had an issue with someone > contributing "security" fixes to lcms that turned out to be > undesirable.) Which is why I wanted to get your opinion on the patch :-) > Thanks for bringing it to my attention. Thanks for providing Argyll. Roland. -- Roland Mas Sauvez les castors, imprimez en recto-verso.