Hi,
Adam Borowski writes:
> On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote:
>> Adam Borowski writes:
>> > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote:
>> >> Actually, imagemagick is one of worst offenders here. The version in Jessie
>> >> is at deb8u9, and every security update tends to mention ~20 CVEs.
>> >
>> > ... aaaand, just hours later, here comes deb8u10:
>> >
>> > # Package : imagemagick
>> > # CVE ID : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501
>> > # CVE-2017-10928 CVE-2017-11141 CVE-2017-11170
>> > # CVE-2017-11360 CVE-2017-11188
>> > # Debian Bug : 863126 867367 867778 867721 864273 864274 867806 868264
>> > # 868184 867810 867808 867811 867812 867896 867798 867821
>> > # 867824 867825 867826 867893 867823 867894 867897
>>
>> Totally untested, but you might try to replace imagemagick with
>> graphicsmagick. It's at deb8u ;-)
My bad, graphicsmagick is at deb8u2. Are the security conscious just
picking on imagemagick or graphicsmagick is less susceptible? Dunno.
> It's a fork, so it suffers from same vulnerabilities as imagemagick. It
> might get better only after someone rewrites everything from scratch (in
> which case there'll be a whole new set of bugs).
Devuan is a fork of Debian. I think we both agree that the former
suffers at least one problem less than the latter ;-)
By the same or at least a very similar token, I would hope that perhaps
graphicsmagick suffers from a few less vulnerabilities than imagemagick.
True, I have no hard data to back that up. It was just a suggestion.
I've used the CLI and library C/C++ APIs of both in the past, and
through that have developed a better opinion of graphicsmagick. It was
forked 15(!) years ago. ImageMagick has had a reputation of willy-nilly
changing CLI and library APIs as well as image processing results
between versions. GraphicsMagick has on the whole been a lot more
stable in that respect so I would *guess* that its developers have been
able to shake out most vulnerabilities over the years without
introducing many new ones.
Just a thought,
--
Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9
Support Free Software https://my.fsf.org/donate
Join the Free Software Foundation https://my.fsf.org/join