Hi all, On 18/03/2020 19:27, Moritz Muehlenhoff wrote: > On Wed, Mar 18, 2020 at 06:14:36PM +0100, Sylvain Beucler wrote: >> I excluded 3 out of 8 packages. I only added packages that actually >> contain the impacted code (VNC client connection, using original RealVNC >> codebase). > > "Contains the impacted code" is not the relevant criterion here, it's > "contains the impacted code and the respective library function can be > triggered in a security-relevant scenario/trust boundaries are crossed".
For the record, I believe this fits the criterion. Usually we need to prove that a program is /not/ vulnerable before we stop working on it. Here it sounds like we need prove that a program is vulnerable to merely start tracking it. Conversely it is likely that similar, past issues affecting this code were not flagged in packages that embed it (I complemented embedded-code-copies only last week). I'm surprised that other members of Debian Security or Debian LTS hadn't anything to add. Cheers! Sylvain
