Hi, On 03/08/2022 19:31, Moritz Mühlenhoff wrote: > Am Sat, May 28, 2022 at 06:36:29PM +0200 schrieb Sylvain Beucler: >> - the package uses system dxflib, cf. debian/patches/debian_build.patch > > But is that functional/working as expected? librecad does not > have and dependency on libdxflib3?
I stand corrected, thanks. Looking further, according to https://github.com/LibreCAD/LibreCAD/commit/71f1203c5dbfd49c0eabbeac1d763b6b6faccbf1 "Removed dxflib, only new libdxfrw are used" (2.0.0alpha4, pre-jessie) dxflib is not responsible for DXF support anymore and the embedded copy was removed. Thus it is not needed to depend on libxdflib3. A few files with common dxflib filenames or even copyright headers are present in 'libraries/jwwlib', for the purpose of handling JWW files; AFAICS this is an entirely different code that probably roughly started out as a copy of the previous DXF handler based on dxflib, retaining some utility code from dxflib but rewriting the core. The possibly vulnerable 'dl_jww-copy.cpp' in that folder, similar to dxflib's 'dl_dxf.cpp', isn't compiled through debuild (at least in buster), and hasn't been modified since its initial checkin. Overall it seems librecad embeds dxflib only partially now. On Wed, Aug 03, 2022 at 07:36:31PM +0200, Salvatore Bonaccorso wrote: > Actually I believe this should be either: > > - kept unfixed, as the source is affected but mark it as (unimportant) > as it has no relevance for the binary packages built > - drop the entry completely (see previous examples commited by jmm on > that matter hen the embedded source had no security impact at all to > the source package mentioned). Thanks for the explanation. Since the issue appears tricky I'm committing option #1, so as to leave a trace. Cheers! Sylvain Beucler Debian LTS Team
