This appears to be a false positive in my tool due to some older package information I was using, which meant that it didn't detect that the libpoppler shared library/package was being used - even though the poppler source code was in the luatex tree.
-- Silvio On Wed, Aug 8, 2012 at 5:37 PM, Hilmar Preusse <[email protected]> wrote: > On 08.08.12 Silvio Cesare ([email protected]) wrote: > > Hi Silvio, > > > Package: luatex > > Severity: important > > Tags: security > > > > I have been working on a tool called Clonewise to automatically > > identify embedded code copies in Debian packages and determine if > > they are out of date and vulnerable. Ideally, embedding code and > > libraries should be avoided and a system wide library should be > > used instead. > > > I've no clue how your tool works. Yes, we ship a few of libs sources > in the luatex source package, but not all of them are build, hence > not used used. Especially for poppler we use the shared poppler lib > packaged in Debian. > > Could you double check, if this a false positivee? > > Hilmar > -- > sigmentation fault >

