On Sun, 30 Aug 2009 19:57:47 +0200 Moritz Muehlenhoff wrote: > On Sun, Aug 30, 2009 at 05:09:16PM +0000, Michael Gilbert wrote: > > Author: gilbert-guest > > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009) > > New Revision: 12708 > > > > Modified: > > data/CVE/list > > Log: > > beginning of embedded code copies triage (5 down 395 to go) > > > > + - xulrunner <unfixed> > > + NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*] > > and possibly [./gfx/cairo/cairo/*] > > You should check whether the code is actually compiled in. > xulrunner links dynamically against libpng, so it is not affected. > > There's no reason to track such embeddings in the security tracker, > since it's very common that the source packages still contain the > local code copies even if they're not used anymore.
oh, and wouldn't a "complete" fix for an embedded code copy involve a patch that strips the embedded code from the debian source package? maybe this isn't the current state of play, but we should probably push for this. mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
