Moritz Muehlenhoff writes: > On Sun, Nov 07, 2010 at 10:20:50PM +0100, Alberto Luaces wrote: >> Moritz Muehlenhoff writes: >> >> > In gmane.linux.debian.devel.release, you wrote: >> >> --=-=-= >> >> >> >> Hello, >> >> >> >> recently a bug has been reported for the lenny version of the >> >> openscenegraph 2.4.0-1.1 source package, based upon the fact that this >> >> package includes an embedded, vulnerable copy of the lib3ds library: >> >> >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181 >> >> >> >> The security team said that our proposed update did not warrant a >> >> security update, and that we should make a stable release instead. >> >> >> >> The Debian Developers of this package and me have now available a new >> >> version of the package which removes the embedded copy and makes the >> >> compilation process link the generated libraries against Debian system's >> >> lib3ds version. I'm attaching the diff in this mail for you to >> >> inspect. I wonder if the `high' priority that I have given to this >> >> release is fine or not. >> > >> > That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it >> > would need to be updated along. >> >> Yes, that was my intention. It seemed sensible to me to pull out >> openscenegraph the insecure code and make it depend on the new lib3ds >> version. I thought that since lenny and squeeze versions of lib3ds are >> compatible, the latter could be backported in short by the security >> team. >> >> What do you think? Should I wait for lenny's lib3ds to get fixed or >> could we start updating openscenegraph to use the external library? > > lib3ds also has been labeled as not warranting a DSA, so it won't be > updated by the Security Team (we're barely keeping up with regular > DSAs currently). Since it's orphaned it's unlikely to be updated in > stable soon. Fixing it should be straight-forward, though. The patch > from my 1.3.0-5 NMU in unstable can be applied straight-away for Lenny. If that could be possible it would be great. In that case, I have attached the debdiff that Adam asked for. Otherwise we would have to remove 3DS support in openscenegraph, maybe breaking some end user program. Another possibility could be to fix the embedded lib3ds in openscenegraph, just following the error description in the CVE. Regards, Alberto
Attachment:
openscenegraph_deb.diff.bz2
Description: Binary data