Le mardi, 19 janvier 2016, 00.38:02 Till Kamppeter a écrit : > On 01/14/2016 10:07 AM, Didier 'OdyX' Raboud wrote: > > Le jeudi, 14 janvier 2016, 01.38:19 Till Kamppeter a écrit : > >> Hi, > >> > >> I have released cups-filters 1.6.0 now, with the following changes: > >> (…) > >> - foomatic-rip: Fixed buffer overflow when reading environment > >> variables CUPS_FONTPATH, CUPS_DATADIR, and GS_LIB (Bug > >> #1336). > > > > Is this of any security-related concern? > > Yes, but it did not get a CVE.
Security-Team: an opinion there? > > * files in backend/ say that they inherit from dnssd.c, and their > > licence says: > >> * Copyright 2008-2015 by Apple Inc. > >> * > >> * These coded instructions, statements, and computer programs are > >> the > >> * property of Apple Inc. and are protected by Federal copyright > >> * law. Distribution and use rights are outlined in the file > >> * "LICENSE.txt" "LICENSE" which should have been included with this > >> * file. If this file is missing or damaged, see the license at > >> * "http://www.cups.org/";. > >> * > >> * This file is subject to the Apple OS-Developed Software > >> exception. > > > > There's no "LICENSE{,.txt}" file in the cups-filters source package, > > letting us up to guesses. > > This is the LICENSE.txt file of CUPS. I will look into whether I can > copy it (or the relevant parts) into the COPYING file of cups-filters > and modify the copyright headers appropriately. That'd be good, thanks. > Please tell me if there are more files not served by the COPYING file. > > Could you please clean this up in the next cups-filters release? The > > ideal way would be for you (as upstream) to adopt the CF-1.0 format > > [CF1] for upstream's COPYING file. > > > > [CF1] > > https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ > Will look into this. > > Is this the format used by Debian packages, will this simply allow to > copy COPYING to debian/copyright? It's a format accepted in Debian packages, so yes, it would simply allow to be pasted thre. -- Cheers, OdyX
