Bug#684243: poppler code embedded in luatex and possibly may be out of date and vulnerable

[Silvio Cesare <silvio.cesare@gmail.com>]

This appears to be a false positive in my tool due to some older package information I was using, which meant that it didn't detect that the libpoppler shared library/package was being used - even though the poppler source code was in the luatex tree.

--

Silvio

On Wed, Aug 8, 2012 at 5:37 PM, Hilmar Preusse <hille42@web.de> wrote:

On 08.08.12 Silvio Cesare (silvio.cesare@gmail.com) wrote:

Hi Silvio,

> Package: luatex
> Severity: important
> Tags: security
>
> I have been working on a tool called Clonewise to automatically
> identify embedded code copies in Debian packages and determine if
> they are out of date and vulnerable.  Ideally, embedding code and
> libraries should be avoided and a system wide library should be
> used instead.
>
I've no clue how your tool works. Yes, we ship a few of libs sources
in the luatex source package, but not all of them are build, hence
not used used.  Especially for poppler we use the shared poppler lib
packaged in Debian.

Could you double check, if this a false positivee?

Hilmar
--
sigmentation fault