Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
Moritz Muehlenhoff writes:
> In gmane.linux.debian.devel.release, you wrote:
>> --=-=-=
>>
>> Hello,
>>
>> recently a bug has been reported for the lenny version of the
>> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
>> package includes an embedded, vulnerable copy of the lib3ds library:
>>
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
>>
>> The security team said that our proposed update did not warrant a
>> security update, and that we should make a stable release instead.
>>
>> The Debian Developers of this package and me have now available a new
>> version of the package which removes the embedded copy and makes the
>> compilation process link the generated libraries against Debian system's
>> lib3ds version. I'm attaching the diff in this mail for you to
>> inspect. I wonder if the `high' priority that I have given to this
>> release is fine or not.
>
> That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it
> would need to be updated along.
Yes, that was my intention. It seemed sensible to me to pull out
openscenegraph the insecure code and make it depend on the new lib3ds
version. I thought that since lenny and squeeze versions of lib3ds are
compatible, the latter could be backported in short by the security
team.
What do you think? Should I wait for lenny's lib3ds to get fixed or
could we start updating openscenegraph to use the external library?
Regards,
Alberto
Reply to: