[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wrong fixed version for cairo and CVE-2009-2044?

On Tue, 20 Apr 2010 16:41:04 +0200, Gerfried Fuchs wrote:
> * Michael Gilbert <michael.s.gilbert@gmail.com> [2010-04-20 16:20:13 CEST]:
> > On Tue, 20 Apr 2010 14:34:04 +0200, Gerfried Fuchs wrote:
> > >  This sounds reasonable - but actually the changelog isn't too cryptic
> > > here and I don't see anything in either 1.8.10-3 nor even 1.8.10-2 that
> > > would cause them to fix anything security related. I know that it can
> > > only be a wish, but could you at least try to read the according
> > > changelogs to see wether the version in squeeze could at least remotely
> > > have something to do with that the issue has gone away, and try to get
> > > more accurate informations in the tracker with minimum effort.
> > 
> > i don't base my research on changelog entries.  i download the source,
> > and check. it would be a significant additional effort to do this for
> > backports for every issue, and i don't have the time or interest for
> > that.
> 
>  The changelog is part of the source, noone asked to download the
> backports source, too. 

the changelog may be wrong, and the only way to know for sure is to
check for the vulnerable code itself.  for me, that means downloading
and checking the backports source, which is additional effort for
something that i am not even interested in. 

> Actually the difference there is suspected to be
> non-significant with respect to the same version that was in testing at
> the time when the backporting happened.

i only base my research on present versions in the archive, which can
actually be checked.  i suppose i could make use of
snapshots.debian.org, but again that would be much more burdensome.

>  Actually makes me wonder: Did upstream not provide informations in
> which of their release they fixed the issue? Usually they do, which
> actually would be a good idea for a quick ask and avoid even most
> additional effort. I don't buy the "significant additional effort"
> reasoning, sorry - a quick check in the included upstream ChangeLog file
> concluded that the fix was in since their 1.7.6 release, which predates
> at least the 1.8.2-1 Debian version, also according to upstream
> changelog.

why should i talk to upstream for every issue when i can check the
source code myself?  again, i record the version that i actually checked
in the tracker; rather than any claims made in the changelog.

> > i would suggest that those interested in backports right now keep an eye
> > on recently checked issues, and if they arent' closed in backports,
> > then check the source there, and correct the tracker as needed.
> 
>  It's moren than "a significant additional effort" if the version
> information in the tracker can't be trusted, and according to your
> approach shouldn't be trusted. This is more than just a pain, sorry.

backports is unsupported, so the fact that that information is in the
tracker is a bonus.  maybe those pages should have a warning that says
that the data is less accurate since no one is "officially"
checking/supporting those packages.

mike
Reply to: