[Secure-testing-team] [Secure-testing-commits] r12708 - data/CVE
Michael S Gilbert
michael.s.gilbert at gmail.com
Sun Aug 30 18:22:16 UTC 2009
On Sun, 30 Aug 2009 19:57:47 +0200 Moritz Muehlenhoff wrote:
> On Sun, Aug 30, 2009 at 05:09:16PM +0000, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > New Revision: 12708
> >
> > Modified:
> > data/CVE/list
> > Log:
> > beginning of embedded code copies triage (5 down 395 to go)
> >
> > + - xulrunner <unfixed>
> > + NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*] and possibly [./gfx/cairo/cairo/*]
>
> You should check whether the code is actually compiled in.
> xulrunner links dynamically against libpng, so it is not affected.
>
> There's no reason to track such embeddings in the security tracker,
> since it's very common that the source packages still contain the
> local code copies even if they're not used anymore.
actually, the state is somewhat uncertain for libpng. looking at
embedded-code-copies, it says 'NOTE: Debian 1.9.0.6 uses embedded
copy', '1.8.* us system libpng', and nowhere does it say the embed has
been fixed, so i interpret that to mean that it is not yet done for
1.9.0.13. this, of course, could just be a mistake in that file. i
will manually check on the situation, and update embedded-code-copies
with the correct info.
this triage will probably bring to light a lot of inconsistencies like
this.
mike
More information about the Secure-testing-team
mailing list