This appears to be a false positive in my tool due to some older package
information I was using, which meant that it didn't detect that the
libpoppler shared library/package was being used - even though the poppler
source code was in the luatex tree.

--
Silvio

On Wed, Aug 8, 2012 at 5:37 PM, Hilmar Preusse <[email protected]> wrote:

> On 08.08.12 Silvio Cesare ([email protected]) wrote:
>
> Hi Silvio,
>
> > Package: luatex
> > Severity: important
> > Tags: security
> >
> > I have been working on a tool called Clonewise to automatically
> > identify embedded code copies in Debian packages and determine if
> > they are out of date and vulnerable.  Ideally, embedding code and
> > libraries should be avoided and a system wide library should be
> > used instead.
> >
> I've no clue how your tool works. Yes, we ship a few of libs sources
> in the luatex source package, but not all of them are build, hence
> not used used.  Especially for poppler we use the shared poppler lib
> packaged in Debian.
>
> Could you double check, if this a false positivee?
>
> Hilmar
> --
> sigmentation fault
>

Reply via email to