On 04/01/16 12:50, Tobias Frost wrote: > Am Montag, den 04.01.2016, 12:00 +0000 schrieb Bastien Roucaries: >> Add also bug to package using embeded libpng 1.6 like texlive ? > > Thanks for the hint, I frankly forgot to check for code copies.
https://lintian.debian.org/tags/embedded-library.html and https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co might be useful, although the latter seems to be outdated (it says libtk-img embeds libpng, which is no longer true). Is there a newer security team list somewhere? In addition to texlive: chromium and ice* might be able to move from their embedded copies to a newer system copy, or not, depending whether they've patched them. I think eagle contains forks of its various libraries, but I could be wrong. It probably needs adding to the embedded code copies list multiple times? syslinux (and the copy of it in d-i) runs at a level below Linux, so the system copy of libpng is not useful. If syslinux is parsing anything untrusted then you have much larger problems than libpng, so an outdated libpng is presumably not really a problem. xserver-xorg-video-nvidia* are presumably unfixable (proprietary binaries). S
