On Sun, 24 Mar 2024 21:46:40 +0100 Moritz Muehlenhoff <j...@inutil.org> wrote: ----------------------------- 8< ----------------------------- > > I never tried to reproduce these, but reproducability of a given PoC > made against a current version not working with an older version > doesn't mean the old version isn't affected. From a quick glance the > equivalent of the checks added in 5 are also needed in 4.4, e.g. > rle_tga_read8() lacks a check for w overstepping c. > > Given that all these image files are typically read from a trusted > location/source shipped by a given game it's not a big deal, but I'd > suggest to keep the bug open until 4.4 has been fully phased out or > the fixes backported. >
Yeah, I believe that upstream isn't interested either in 4.4, but focus pretty much fully on 5.x now - and my interest is basically on 5.x. Previously my interest in 4.4 was because of alex4, but since that package has turned out to be non-free and moved there, my interest in it has waned, and consequently, in allegro4.4 too. I believe a big part of Tobias Hansens interest in Allegro 4 was due to Aseprite, which have turned to a license that cannot be packaged in Debian (but I don't want to claim that I 100% know Tobias reasoning). If anyone really wants to have allegro 4.4 still in Debian, my suggestion would be to step up and help out with the package (but since I believe upstream has no interest in it, I don't know how doable it is). I am considering removing myself from the allegro 4.4 package, but still keep working on the 5.x one. There I soon have a upload coming, I am just waiting for [1] to get solved (Fixing multiarch stuff for cmake package config). Of course, removing 4.4 would mean removal of quite some small nice little games, but sometimes you just have to endure the negative. /Andreas Rönnquist gus...@debian.org 1: https://github.com/liballeg/allegro5/pull/1543