[argyllcms] Re: Security problems in Argyll's icclib
- From: Roland Mas <lolando@xxxxxxxxxx>
- To: argyllcms@xxxxxxxxxxxxx
- Date: Sat, 04 Apr 2009 11:23:41 +0200
Graeme Gill, 2009-04-04 10:33:00 +1100 :
> Roland Mas wrote:
>> Graeme, I'd like your opinion on this patch. It didn't apply cleanly
>
> Well, I find it interesting that whoever originally noticed problems,
> didn't bother to contact me first, all they seemed interested in was
> their Linux distro. (I'm coming to the conclusion this is pretty
> typical behavior, judging from similar responses to patches to
> xli. Courtesy in regard to upstream seems to be completely lacking,
> never mind concern about any other users of the library).
I can't say anything for sure for this particular case since I'm not
involved in Ghostscript, but from my experience this kind of behaviour
is the exception rather than the norm. I'll drop a note to the
Ghostscript maintainers in Debian and the Debian security team about
that, though.
On the other hand, I believe such a situation could be avoided if
icclib were not copied in various projects' code but linked dynamically.
There would be fewer copies of the code around, and one canonical place
to get it and fix it that everybody would benefit from. In this
context, may I suggest that you release icclib (or icclib4 when it's
ready) as a separate package? If you don't feel like it (and I won't
blame you, you're the upstream author), then I'll probably split the
Debian binary package off so Ghostscript can link against the lib coming
from Argyll, but that will only apply in Debian and derivatives...
> The general issue addressed is probably fair enough, and was one
> motivating factor in attempting to develop icclib4, the (still
> unfinished, unreleased) ICCV4 version of icclib that has been written
> with security against crafted files particularly in mind. One of the
> things I realized in writing it, was that although in icclib I had
> attempted to guard against wrong lengths and malloc failures, I hadn't
> understood the implications of integer overflow. The icclib4 approach
> is rather more robust than the patches against the current icclib,
> never the less, I'll attempt to audit the changes and update the
> code. (I note that Marti Maria has had an issue with someone
> contributing "security" fixes to lcms that turned out to be
> undesirable.)
Which is why I wanted to get your opinion on the patch :-)
> Thanks for bringing it to my attention.
Thanks for providing Argyll.
Roland.
--
Roland Mas
Sauvez les castors, imprimez en recto-verso.
Other related posts:
