[Secure-testing-team] [Secure-testing-commits] r12708 - data/CVE
Michael S Gilbert
michael.s.gilbert at gmail.com
Sun Aug 30 18:24:01 UTC 2009
On Sun, 30 Aug 2009 19:57:47 +0200 Moritz Muehlenhoff wrote:
> On Sun, Aug 30, 2009 at 05:09:16PM +0000, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > New Revision: 12708
> >
> > Modified:
> > data/CVE/list
> > Log:
> > beginning of embedded code copies triage (5 down 395 to go)
> >
> > + - xulrunner <unfixed>
> > + NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*] and possibly [./gfx/cairo/cairo/*]
>
> You should check whether the code is actually compiled in.
> xulrunner links dynamically against libpng, so it is not affected.
>
> There's no reason to track such embeddings in the security tracker,
> since it's very common that the source packages still contain the
> local code copies even if they're not used anymore.
oh, and wouldn't a "complete" fix for an embedded code copy involve a
patch that strips the embedded code from the debian source package?
maybe this isn't the current state of play, but we should probably push
for this.
mike
More information about the Secure-testing-team
mailing list