Bug#709145: [CVE-2009-3546]: contains embedded (and outdated) copy of libgd2
On Tue, May 21, 2013 at 11:24 AM, Norbert Preining <preining@logic.at> wrote:
> On Di, 21 Mai 2013, Ondřej Surý wrote:
>> The new upload of texlive-bin contains and uses an outdated embedded
>> copy of GD library and must not enter testing until texlive-bin is
>> using the system GD library again.
>
> Wrong. Containing an embedded copy that is even compiled,
> but not linked against any program is not a reason for
> a serious bug.
I am not going to play BTS ping-pong, but you should close this bug
only when you start using the system libgd again.
texlive-bin MUST NOT migrate to testing with embedded outdated libgd.
> The only program in TeX Live that is linked against libgd is
> dvipng and this is built outside of TeX live.
Care to elaborate? Either you need the sources or you do not.
> The TL infrastructure *needs* to build the library or use the
> system library.
If it builds the library you should fix the CVEs or at least check
that the affected code in not used by dvipng.
> Since using the sys library is currently impossible, we include
> a copy of the *not*used* libgd library.
That's not true, I have already uploaded fixed libgd2 to unstable. My
opinion is that you should have asked me when there will be fixed
version of libgd2 uploaded to unstable before rushing things.
O.
--
Ondřej Surý <ondrej@sury.org>
Reply to: