Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
On Sun, 2010-11-07 at 11:55 +0100, Alberto Luaces wrote:
> recently a bug has been reported for the lenny version of the
> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
> package includes an embedded, vulnerable copy of the lib3ds library:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
>
> The security team said that our proposed update did not warrant a
> security update, and that we should make a stable release instead.
>
> The Debian Developers of this package and me have now available a new
> version of the package which removes the embedded copy and makes the
> compilation process link the generated libraries against Debian system's
> lib3ds version.
Your own comment in the bug referenced above is that the embedded copy
of lib3ds contains changes which are not in the standard library. If
that is the case, then won't using the packaged library cause problems
and/or regressions?
> I'm attaching the diff in this mail for you to
> inspect.
That "diff" appears to be the entire of the debian/ directory, including
changelog entries going back to 2004. In order to review it, we'd need
a debdiff of the source package currently in stable compared to your
proposed update (i.e. a debdiff of the .dscs).
> I wonder if the `high' priority that I have given to this
> release is fine or not.
Urgency is basically irrelevant for stable updates, as it makes no
difference as to when the package will move from p-u-new to
proposed-updates nor from there in to stable.
(fwiw, the version number should be 2.4.0-1.1+lenny1 or similar;
possibly 2.4.0-2 if there was never such a revision in the archive. The
current versioning implies that the package is an update to 2.4.0-2,
which is not the case)
Regards,
Adam
Reply to: