Bug#595171: CVE-2010-1519
Moritz Muehlenhoff
jmm at inutil.org
Fri Sep 3 17:15:08 UTC 2010
Hi,
On Fri, Sep 03, 2010 at 12:15:09PM +0800, Paul Wise wrote:
> On Thu, Sep 2, 2010 at 9:08 PM, Christoph Egger <christoph at debian.org> wrote:
>
> > Would be probably best to get rid of glpng soon then (pabs: how's
> > the status on cromium-bsu there?). Unfortunately I'm VAC for another
> > week and probably offline most of the time (as well as keyless).
>
> The SDL_Image loader released with chromium-bsu 0.9.14.1 from squeeze
> works but has a minor rendering glitch that I wasn't able to fix yet.
> Some details are available in the upstream bug report[1]. Help to fix
> it or any of the other upstream bugs would be very much appreciated.
> If the release team would accept the dependency change it I think it
> would be reasonable to switch chromium-bsu to SDL_image and remove
> glpng before squeeze releases instead of keeping it around. The impact
> of the glpng security issue on chromium-bsu is minimal since most
> people will never run it with anything other than the textures from
> chromium-bsu-data.
>
> http://sf.net/support/tracker.php?aid=2998438
Agreed, there is no security issue as far as chromium-bsu is concerned,
since the attack vector for the generic library (providing malformed
graphics) doesn't exist.
According to the changelog chromium-bsu ships an embedded code copy
of libglpng? In that case it might be a good solution to revert to
the internal copy and simply remove the standalone version.
Cheers,
Moritz
More information about the Pkg-games-devel
mailing list