Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
On Sun, Nov 07, 2010 at 10:20:50PM +0100, Alberto Luaces wrote:
> Moritz Muehlenhoff writes:
>
> > In gmane.linux.debian.devel.release, you wrote:
> >> --=-=-=
> >>
> >> Hello,
> >>
> >> recently a bug has been reported for the lenny version of the
> >> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
> >> package includes an embedded, vulnerable copy of the lib3ds library:
> >>
> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
> >>
> >> The security team said that our proposed update did not warrant a
> >> security update, and that we should make a stable release instead.
> >>
> >> The Debian Developers of this package and me have now available a new
> >> version of the package which removes the embedded copy and makes the
> >> compilation process link the generated libraries against Debian system's
> >> lib3ds version. I'm attaching the diff in this mail for you to
> >> inspect. I wonder if the `high' priority that I have given to this
> >> release is fine or not.
> >
> > That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it
> > would need to be updated along.
>
> Yes, that was my intention. It seemed sensible to me to pull out
> openscenegraph the insecure code and make it depend on the new lib3ds
> version. I thought that since lenny and squeeze versions of lib3ds are
> compatible, the latter could be backported in short by the security
> team.
>
> What do you think? Should I wait for lenny's lib3ds to get fixed or
> could we start updating openscenegraph to use the external library?
lib3ds also has been labeled as not warranting a DSA, so it won't be
updated by the Security Team (we're barely keeping up with regular
DSAs currently). Since it's orphaned it's unlikely to be updated in
stable soon. Fixing it should be straight-forward, though. The patch
from my 1.3.0-5 NMU in unstable can be applied straight-away for Lenny.
Cheers,
Moritz
Reply to: