Re: MBF Announcement: Transition libpng12 -> libpng16
On Mon, Jan 4, 2016 at 9:06 PM, Simon McVittie wrote:
> https://lintian.debian.org/tags/embedded-library.html and
> https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co
> might be useful, although the latter seems to be outdated (it says
> libtk-img embeds libpng, which is no longer true). Is there a newer
> security team list somewhere?
I would suggest using Debian codesearch to find more code copies. The
embedded-code-copies file in the secure-testing repo is manually
updated, so often gets out of date.
https://wiki.debian.org/EmbeddedCodeCopies
> chromium and ice* might be able to move from their embedded copies to a
> newer system copy, or not, depending whether they've patched them.
secure-testing e-c-c doesn't mention chromium and doesn't say if ice*
use forks or embeds.
> I think eagle contains forks of its various libraries, but I could be
> wrong. It probably needs adding to the embedded code copies list
> multiple times?
https://security-tracker.debian.org/tracker/data/report
> syslinux (and the copy of it in d-i) runs at a level below Linux, so the
> system copy of libpng is not useful. If syslinux is parsing anything
> untrusted then you have much larger problems than libpng, so an outdated
> libpng is presumably not really a problem.
It would be nice if this used artifacts built from src:libpng instead
of embedding a copy of the code though.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Reply to: