Re: [Pkg-javascript-devel] Bug#603513: yui: multiple xss issues in included swf files
- To: "Jaldhar H. Vyas" <jaldhar@debian.org>
- Cc: Thomas Goirand <zigo@debian.org>, 603513@bugs.debian.org, debian-release@lists.debian.org
- Subject: Re: [Pkg-javascript-devel] Bug#603513: yui: multiple xss issues in included swf files
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Wed, 1 Dec 2010 23:09:34 +0100
- Message-id: <[🔎] 20101201220934.GB20913@inutil.org>
- In-reply-to: <alpine.DEB.2.00.1011281400490.8153@localhost6.localdomain6>
- References: <20101114155348.be3d4d0e.michael.s.gilbert@gmail.com> <20101124204731.GA4501@galadriel.inutil.org> <alpine.DEB.2.00.1011280116540.8153@localhost6.localdomain6> <4CF298B1.5090707@debian.org> <alpine.DEB.2.00.1011281400490.8153@localhost6.localdomain6>
Jaldhar H. Vyas wrote:
> On Mon, 29 Nov 2010, Thomas Goirand wrote:
>
>> Take care if you do that: there's some reverse dependencies involved!
>> I'd rather that you just remove the swf files from the package, and
>> create a non-free package for them. There's many cases were you will
>> need yui, but not the attached swf files!!!
>
> Good point. There are only four components that include swf files. It
> should be possible to seperate them out into a non-free package. I'll
> bear that in mind if there is no way to keep it all in main.
The following sourceless SWF files are included in YUI:
/usr/share/javascript/yui/connection/connection.swf
/usr/share/javascript/yui/uploader/assets/uploader.swf
/usr/share/javascript/yui/charts/assets/charts.swf
/usr/share/javascript/yui/swfstore/swfstore.swf
The following packages depend on libjs-yui:
serendipity
otrs2
moodle
loggerhead
jifty
fusionforge
extplorer
bugzilla3
webgui (sid only)
I only looked briefly in OTRS and Moodle and both seem to use
the connection module.
We should update the SWF files affected through #603513 with their
versions from YUI 2.8.2 and tag #591199 squeeze-ignore. For Wheezy
we can get the necessary SWF compilers into the archive and provide
a clean solution, but splitting these modules off to non-free has
the potential to cause all kinds of ugly breakage in important web
apps for very little gain.
Cheers,
Moritz
Reply to: