Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: debian-release@lists.debian.org, Loic Dachary <loic@dachary.org>, "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>
Subject: Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
From: Alberto Luaces <aluaces@udc.es>
Date: Sun, 07 Nov 2010 14:55:31 +0100
Message-id: <[🔎] 87d3qhb5m4.fsf@eps142.cdf.udc.es>
In-reply-to: <[🔎] 1289132915.27850.5929.camel@hathi.jungle.funky-badger.org> (Adam D. Barratt's message of "Sun, 07 Nov 2010 12:28:34 +0000")
References: <[🔎] 87mxplbdsp.fsf@gmail.com> <[🔎] 1289132915.27850.5929.camel@hathi.jungle.funky-badger.org>

"Adam D. Barratt" writes:

> On Sun, 2010-11-07 at 11:55 +0100, Alberto Luaces wrote:
>> recently a bug has been reported for the lenny version of the
>> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
>> package includes an embedded, vulnerable copy of the lib3ds library:
>> 
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
>> 
>> The security team said that our proposed update did not warrant a
>> security update, and that we should make a stable release instead.
>> 
>> The Debian Developers of this package and me have now available a new
>> version of the package which removes the embedded copy and makes the
>> compilation process link the generated libraries against Debian system's
>> lib3ds version.
>
> Your own comment in the bug referenced above is that the embedded copy
> of lib3ds contains changes which are not in the standard library.  If
> that is the case, then won't using the packaged library cause problems
> and/or regressions?
>

Fortunately not, since those changes addressed some lib3ds deficiencies
at that time (assumed little endianess, assumed 32 bit system) that were
corrected in later lib3ds versions, including the one in stable. It is
not a seriuous proof, but I have loaded some 3ds files as a test and
they worked.

>> I'm attaching the diff in this mail for you to
>> inspect.
>
> That "diff" appears to be the entire of the debian/ directory, including
> changelog entries going back to 2004.  In order to review it, we'd need
> a debdiff of the source package currently in stable compared to your
> proposed update (i.e. a debdiff of the .dscs).
>

I'll do it and get back to you.

>> I wonder if the `high' priority that I have given to this
>> release is fine or not.
>
> Urgency is basically irrelevant for stable updates, as it makes no
> difference as to when the package will move from p-u-new to
> proposed-updates nor from there in to stable.
>

Ok.

> (fwiw, the version number should be 2.4.0-1.1+lenny1 or similar;
> possibly 2.4.0-2 if there was never such a revision in the archive.  The
> current versioning implies that the package is an update to 2.4.0-2,
> which is not the case)
>

Understood. I will also correct this.

Thank you,

Alberto

Reply to:

References:
- openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
  - From: Alberto Luaces <aluaces@udc.es>
- Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: NEW changes in proposedupdates
Next by Date: Re: Permission to upload xserver-xorg-video-intel 2:2.13.0-2
Previous by thread: Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
Next by thread: Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
Index(es):
- Date
- Thread