On Mon, Jan 4, 2016 at 9:06 PM, Simon McVittie wrote: > https://lintian.debian.org/tags/embedded-library.html and > https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co > might be useful, although the latter seems to be outdated (it says > libtk-img embeds libpng, which is no longer true). Is there a newer > security team list somewhere?
I would suggest using Debian codesearch to find more code copies. The embedded-code-copies file in the secure-testing repo is manually updated, so often gets out of date. https://wiki.debian.org/EmbeddedCodeCopies > chromium and ice* might be able to move from their embedded copies to a > newer system copy, or not, depending whether they've patched them. secure-testing e-c-c doesn't mention chromium and doesn't say if ice* use forks or embeds. > I think eagle contains forks of its various libraries, but I could be > wrong. It probably needs adding to the embedded code copies list > multiple times? https://security-tracker.debian.org/tracker/data/report > syslinux (and the copy of it in d-i) runs at a level below Linux, so the > system copy of libpng is not useful. If syslinux is parsing anything > untrusted then you have much larger problems than libpng, so an outdated > libpng is presumably not really a problem. It would be nice if this used artifacts built from src:libpng instead of embedding a copy of the code though. -- bye, pabs https://wiki.debian.org/PaulWise
