[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#595171: CVE-2010-1519



Hi,

On Fri, Sep 03, 2010 at 12:15:09PM +0800, Paul Wise wrote:
> On Thu, Sep 2, 2010 at 9:08 PM, Christoph Egger <christoph@debian.org> wrote:
> 
> >    Would be probably best to get rid of glpng soon then (pabs: how's
> > the status on cromium-bsu there?). Unfortunately I'm VAC for another
> > week and probably offline most of the time (as well as keyless).
> 
> The SDL_Image loader released with chromium-bsu 0.9.14.1 from squeeze
> works but has a minor rendering glitch that I wasn't able to fix yet.
> Some details are available in the upstream bug report[1]. Help to fix
> it or any of the other upstream bugs would be very much appreciated.
> If the release team would accept the dependency change it I think it
> would be reasonable to switch chromium-bsu to SDL_image and remove
> glpng before squeeze releases instead of keeping it around. The impact
> of the glpng security issue on chromium-bsu is minimal since most
> people will never run it with anything other than the textures from
> chromium-bsu-data.
> 
> http://sf.net/support/tracker.php?aid=2998438

Agreed, there is no security issue as far as chromium-bsu is concerned,
since the attack vector for the generic library (providing malformed
graphics) doesn't exist.

According to the changelog chromium-bsu ships an embedded code copy
of libglpng? In that case it might be a good solution to revert to
the internal copy and simply remove the standalone version.

Cheers,
        Moritz


Reply to: