[Secure-testing-team] Embedded code copies in games (was: Re: Sorting out the Quake2 situation)
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Dec 4 03:06:09 UTC 2009
On Wed, 2 Dec 2009 18:24:21 +0100 Guillem Jover wrote:
> * lzma
>
> Understandable as there's not been a liblzma until recently, now
> provided by the xz-utils package which is supposed to deprecate the
> lzma one in the future. It would be great to switch all of those to
> use the new shared library, and remove the embedded copies.
>
> Found in libphysfs.
>
> There's lots of this, but not all are embedded copies:
so, what is the normal approach for handling non-issue embeds? it
seems like it would be quite an undertaking to submit bugs for all the
lzma and tinyxml embeds (and of course a bunch of other packages
currently tracked) without a whole lot of reward.
at one point, one of the maintainers of one of the prototype-embedding
packages mentioned that they had fixed that embed in the past because
there was a lintian warning. perhaps a good approach would be to add
more lintian checks for additional known embeds?
in the prototype case, it somewhat reduced the scope of the problem
ahead of time, but still most maintainers ignored the warning.
perhaps a warning that said SECURITY would be more authoritative?
in terms of detecting specific file names to flag, it looks pretty
straightforward; simply add additional names/wildcards to lintian's
'files' check. but a robust solution that detects specific code sets
in any file would take some (perhaps significant) work (especially
since those code sets may differ in different packages).
mike
More information about the Secure-testing-team
mailing list