[Secure-testing-team] embedded library copies in monotone

[Stefan Fritsch]

Hi Zack,

On Monday 15 October 2007, you wrote:
> > There are a number of packages including source code from
> > external libraries, for example poppler is included in xpdf, kpdf
> > and others.  To ensure that we don't miss any vulnerabilities in
> > packages that do so we maintain a list[6] of embedded code copies
> > in Debian.
>
> I maintain the monotone package, which presently contains embedded
> copies of several external libraries.  It is not on your list. 
> (It's not presently in testing due to unrelated problems, but it
> hopefully will be again soon.)  Upstream is aware that this is a
> problem for Debian and other distributions, but has had serious
> problems with library version skew in the past and is therefore
> being very cautious and slow about opening up the possibility of
> using dynamic linkage. They've historically been very good about
> keeping up with upstream security fixes for the embedded libraries.
>
> The 0.36 source package embeds these libraries with equivalents
> already packaged for Debian:  liblua5.1 (same version as in
> Debian), libsqlite3-0 (ditto), libbotan1.6 (monotone's copy is
> version 1.5) and part of libidn11 (also way out of date).  It also
> embeds a copy of the NetXX library, which is not packaged for
> Debian and is dead upstream; until we find a replacement it is best
> to consider that part of monotone proper.
>
> The 0.37 source package will also embed libpcre (a newer version
> than in Debian - in fact, 0.37 is being held for the next upstream
> release of libpcre, which monotone upstream has been told has
> security implications.)

Thanks for the information, I added it to the list. But I really think 
you should try to link dynamically in your Debian package where 
possible, even if upstream doesn't want to do it. In particular 
libpcre already had security issues in the past, so it would be 
important that you try to link to the packaged version.

Cheers,
Stefan