[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#709145: [CVE-2009-3546]: contains embedded (and outdated) copy of libgd2

As I said, the texlive build system needs the configuration step even if the library is not used or build.

I don't need to say more, reading the build log and searching for "gd" is enough.

> texlive-bin MUST NOT migrate to testing with embedded outdated libgd.

Who decides that, you?

>> The only program in TeX Live that is linked against libgd is
>> dvipng and this is built outside of TeX live.
> 
> Care to elaborate?  Either you need the sources or you do not.

Care to search for the "dvipng" package?

I am not holding your and type for you, I have other things to do.

> If it builds the library you should fix the CVEs or at least check
> that the affected code in not used by dvipng.

I told you that already! And dvipng is not my package.

> That's not true, I have already uploaded fixed libgd2 to unstable.

Good to know, still I actually don't see a need for pulling in a useless build dep if it is not necessary.

> My
> opinion

Yes there are many opinions in the world.

Norbert
Reply to: