On 04/01/16 12:50, Tobias Frost wrote:
> Am Montag, den 04.01.2016, 12:00 +0000 schrieb Bastien Roucaries:
>> Add also bug to package using embeded libpng 1.6 like texlive ?
> 
> Thanks for the hint, I frankly forgot to check for code copies.

https://lintian.debian.org/tags/embedded-library.html and
https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co
might be useful, although the latter seems to be outdated (it says
libtk-img embeds libpng, which is no longer true). Is there a newer
security team list somewhere?

In addition to texlive:

chromium and ice* might be able to move from their embedded copies to a
newer system copy, or not, depending whether they've patched them.

I think eagle contains forks of its various libraries, but I could be
wrong. It probably needs adding to the embedded code copies list
multiple times?

syslinux (and the copy of it in d-i) runs at a level below Linux, so the
system copy of libpng is not useful. If syslinux is parsing anything
untrusted then you have much larger problems than libpng, so an outdated
libpng is presumably not really a problem.

xserver-xorg-video-nvidia* are presumably unfixable (proprietary binaries).

    S

Reply via email to