[Pkg-javascript-devel] Bug#692434: Bug#692434: Affected files included in other packages

[Dominic Hargreaves]

On Sat, Nov 24, 2012 at 02:43:02PM +0100, Jonas Smedegaard wrote:
> Quoting Maximiliano Curia (2012-11-24 13:49:30)
> > I'm not sure how to build [SWF] files, and the list of md5sums in the
> > yuilibrary page suggests that it's not expected that users build those.
> > The build process of yui deletes the distributed swf files, and generates
> > them again. But it doesn't rebuild the "charts.swf" file.
> 
> Beware that commonly upstream do not distinguish between 
> (re)distributors and (end-)users.
> 
> Debian Policy mandates that we compile from (true!) source, no matter if 
> upstream encourages that or not.
> 
> 
> > Not generating the charts.swf file is a real security issue, since 
> > this file is bundled in other packages (icinga-web and glpi), which 
> > include the swf listed as version 2.8.2.
> 
> Convenience copies of code from other upstream projects should always be 
> reported to the security team, not only _when_ it becomes a security 
> issue: please report above ones to the security team!

This bug has been cloned for the other packages which embed copies
of YUI, as far as I can tell.

> > It would be a really good idea to build charts.swf from source, but 
> > I'm not sure how to do it.
> 
> Neither am I, but I know that Debian contains some SWF compilers...

charts.swf isn't installed, so from the point of view of the
yui source package and this bug, we can ignore that.

It does seem that uploader.swf and swfstore.swf need to be fixed
or removed from the examples. Since there appears to be no source
available for the fixes, at least at [1], I suggest that removing is
the best option.

[1] <https://github.com/yui/yui2/tree/master/src>

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)