[Secure-testing-team] Embedded code copies in games (was: Re: Sorting out the Quake2 situation)
Guillem Jover
guillem at debian.org
Wed Dec 2 17:24:21 UTC 2009
On Tue, 2009-12-01 at 22:44:38 -0500, Michael Gilbert wrote:
> On Wed, 2 Dec 2009 09:28:31 +0800 Paul Wise wrote:
> > Could someone let the Debian security team know about that? Their
> > embedded-code-copies file doesn't mention these three:
> >
> > http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies
>
> thanks for pointing this out. i have added these to the list. if you
> all can check your packages and forward any other embedded code copies
> included in your games packages, that would be immensely helpful.
I tend to file bug reports when I find embedded copies, with the
security tag set, which AFAIK gets the team notified. And note them
down as candidates to look for in other places.
Anyway, few I've found recently, which I had noted down to report:
* tinyxml
This one is not (yet) packaged in Debian.
Found in libphysfs, cal3d and crystalspace.
There seems to be several more:
<http://source.debian.net/source/search?path=tinyxml.h>
* lzma
Understandable as there's not been a liblzma until recently, now
provided by the xz-utils package which is supposed to deprecate the
lzma one in the future. It would be great to switch all of those to
use the new shared library, and remove the embedded copies.
Found in libphysfs.
There's lots of this, but not all are embedded copies:
<http://source.debian.net/source/search?path=lzma>
regards,
guillem
More information about the Secure-testing-team
mailing list