Debian Bug report logs - #637488
t1lib: history of security issues, unmaintained upstream, unsupportable

version graph

Package: t1lib; Maintainer for t1lib is (unknown);

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Thu, 11 Aug 2011 23:57:04 UTC

Severity: grave

Tags: squeeze-ignore, wheezy-ignore

Found in version 5.1.2-3

Fixed in version 5.1.2-4+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Ruben Molina <rmolina@udea.edu.co>:
Bug#637488; Package t1lib. (Thu, 11 Aug 2011 23:57:07 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Ruben Molina <rmolina@udea.edu.co>. (Thu, 11 Aug 2011 23:57:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: t1lib: many severe security issues, unmaintained upstream, unsupportable
Date: Thu, 11 Aug 2011 19:53:43 -0400
package: t1lib
version: 5.1.2-3
severity: grave
tag: security

Hi, the t1lib package currently has a significant set of security
vulnerabilities [0].  There hasn't been an upstream release in over 3
years, so it seems unmaintained, and thus the issues are unlikely to
be fixed.  Some tools such as xpdf have simply dropped support for
t1lib because of this [1].  I've submitted another bug to the release
team recommending removal of the package [2].  Of course if the issues
are somehow fixed, the package can stay.

Best wishes,
Mike

[0] http://security-tracker.debian.org/tracker/source-package/t1lib
[1] http://www.foolabs.com/xpdf/download.html
[2] http://bugs.debian.org/6370404

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#637488; Package t1lib. (Sun, 14 Aug 2011 02:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ruben Molina <rmolina@udea.edu.co>:
Extra info received and forwarded to list. (Sun, 14 Aug 2011 02:48:03 GMT) (full text, mbox, link).

Message #10 received at 637488@bugs.debian.org (full text, mbox, reply):

From: Ruben Molina <rmolina@udea.edu.co>
To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: 637488@bugs.debian.org
Subject: Re: Bug#637488: t1lib: many severe security issues, unmaintained upstream, unsupportable
Date: Sat, 13 Aug 2011 21:46:18 -0500
[Message part 1 (text/plain, inline)]
El jue, 11-08-2011 a las 19:53 -0400, Michael Gilbert escribió:
> Hi, the t1lib package currently has a significant set of security
> vulnerabilities [0].  There hasn't been an upstream release in over 3
> years, so it seems unmaintained, and thus the issues are unlikely to
> be fixed.  Some tools such as xpdf have simply dropped support for

Hi Michael,

Thanks for pointing this out. I have fully agree with you and I think
this package can be removed once rdepends issues are solved. 
AFAICT, freetype is a suitable alternative.

Thanks,
  Ruben

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ruben Molina <rmolina@udea.edu.co>:
Bug#637488; Package t1lib. (Sun, 17 Jun 2012 10:18:08 GMT) (full text, mbox, link).

Acknowledgement sent to Arne Wichmann <aw@anhrefn.saar.de>:
Extra info received and forwarded to list. Copy sent to Ruben Molina <rmolina@udea.edu.co>. (Sun, 17 Jun 2012 10:18:43 GMT) (full text, mbox, link).

Message #15 received at 637488@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>
To: 637488@bugs.debian.org
Subject: Ping - remove t1lib
Date: Sun, 17 Jun 2012 12:14:28 +0200
[Message part 1 (text/plain, inline)]
Just to remember... As far as I can see there are no more rdepends left.
Are there any more reasons not to remove t1lib?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ruben Molina <rmolina@udea.edu.co>:
Bug#637488; Package t1lib. (Sun, 17 Jun 2012 10:54:09 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Ruben Molina <rmolina@udea.edu.co>. (Sun, 17 Jun 2012 10:54:15 GMT) (full text, mbox, link).

Message #20 received at 637488@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Arne Wichmann <aw@anhrefn.saar.de>, 637488@bugs.debian.org
Subject: Re: Bug#637488: Ping - remove t1lib
Date: Sun, 17 Jun 2012 11:49:17 +0100
On Sun, 2012-06-17 at 12:14 +0200, Arne Wichmann wrote:
> Just to remember... As far as I can see there are no more rdepends left.
> Are there any more reasons not to remove t1lib?

How did you determine that?  Running "dak rm -Rn t1lib" on ftp-master
says:

Checking reverse dependencies...
# Broken Depends:
dvi2ps: dvi2ps [amd64]
evince: libevdocument3-4
grace: grace
gtkmathview: libgtkmathview-bin
             libgtkmathview-dev
             libgtkmathview0c2a
lablgtkmathview: liblablgtkmathview-ocaml
vflib3: vflib3 [amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc]
        vflib3-bin
        vflib3-dev

# Broken Build-Depends:
claws-mail: libt1-dev
evince: libt1-dev
grace: libt1-dev
gtkmathview: libt1-dev (>= 5.1.1-1.1)
swftools: libt1-dev
vflib3: libt1-dev

Dependency problem found.

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Ruben Molina <rmolina@udea.edu.co>:
Bug#637488; Package t1lib. (Sun, 17 Jun 2012 12:45:07 GMT) (full text, mbox, link).

Acknowledgement sent to Arne Wichmann <aw@anhrefn.saar.de>:
Extra info received and forwarded to list. Copy sent to Ruben Molina <rmolina@udea.edu.co>. (Sun, 17 Jun 2012 12:45:08 GMT) (full text, mbox, link).

Message #25 received at 637488@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 637488@bugs.debian.org
Subject: Re: Bug#637488: Ping - remove t1lib
Date: Sun, 17 Jun 2012 14:41:50 +0200
[Message part 1 (text/plain, inline)]
begin  quotation  from Adam D. Barratt (in <1339930157.7014.2.camel@jacala.jungle.funky-badger.org>):
> On Sun, 2012-06-17 at 12:14 +0200, Arne Wichmann wrote:
> > Just to remember... As far as I can see there are no more rdepends left.
> > Are there any more reasons not to remove t1lib?
> 
> How did you determine that?  Running "dak rm -Rn t1lib" on ftp-master
> says:

It seems I should improve on my tool knowledge.

> Checking reverse dependencies...
> # Broken Depends:
> dvi2ps: dvi2ps [amd64]
> evince: libevdocument3-4
> grace: grace
> gtkmathview: libgtkmathview-bin
>              libgtkmathview-dev
>              libgtkmathview0c2a
> lablgtkmathview: liblablgtkmathview-ocaml
> vflib3: vflib3 [amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc]
>         vflib3-bin
>         vflib3-dev
> 
> # Broken Build-Depends:
> claws-mail: libt1-dev
> evince: libt1-dev
> grace: libt1-dev
> gtkmathview: libt1-dev (>= 5.1.1-1.1)
> swftools: libt1-dev
> vflib3: libt1-dev
> 
> Dependency problem found.

So it is time to file bugs to these respective packages, isn't it?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ruben Molina <rmolina@udea.edu.co>:
Bug#637488; Package t1lib. (Sun, 17 Jun 2012 13:24:14 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Ruben Molina <rmolina@udea.edu.co>. (Sun, 17 Jun 2012 13:24:14 GMT) (full text, mbox, link).

Message #30 received at 637488@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Arne Wichmann <aw@anhrefn.saar.de>
Cc: 637488@bugs.debian.org
Subject: Re: Bug#637488: Ping - remove t1lib
Date: Sun, 17 Jun 2012 14:20:13 +0100
On Sun, 2012-06-17 at 14:41 +0200, Arne Wichmann wrote:
> begin  quotation  from Adam D. Barratt (in <1339930157.7014.2.camel@jacala.jungle.funky-badger.org>):
> > Checking reverse dependencies...
> > # Broken Depends:
> > dvi2ps: dvi2ps [amd64]
> > evince: libevdocument3-4
> > grace: grace
> > gtkmathview: libgtkmathview-bin
> >              libgtkmathview-dev
> >              libgtkmathview0c2a
> > lablgtkmathview: liblablgtkmathview-ocaml
> > vflib3: vflib3 [amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc]
> >         vflib3-bin
> >         vflib3-dev
> > 
> > # Broken Build-Depends:
> > claws-mail: libt1-dev
> > evince: libt1-dev
> > grace: libt1-dev
> > gtkmathview: libt1-dev (>= 5.1.1-1.1)
> > swftools: libt1-dev
> > vflib3: libt1-dev
> > 
> > Dependency problem found.
> 
> So it is time to file bugs to these respective packages, isn't it?

That time was a few months ago, really.

Regards,

Adam

Information forwarded to debian-bugs-dist@lists.debian.org, Ruben Molina <rmolina@udea.edu.co>:
Bug#637488; Package t1lib. (Fri, 03 Aug 2012 22:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Tobias Hansen <tobias.han@gmx.de>:
Extra info received and forwarded to list. Copy sent to Ruben Molina <rmolina@udea.edu.co>. (Fri, 03 Aug 2012 22:36:03 GMT) (full text, mbox, link).

Message #35 received at 637488@bugs.debian.org (full text, mbox, reply):

From: Tobias Hansen <tobias.han@gmx.de>
To: debian-release@lists.debian.org
Cc: 637488@bugs.debian.org
Subject: What to do about t1lib / RC #637488
Date: Sat, 04 Aug 2012 00:37:23 +0200
Hi,

t1lib has no upstream, but a number of security vulnerabilities and reverse dependencies.

We need to know if #637488 can be ignored for wheezy or if we should go for removal and file bugs against the reverse dependencies.

Best regards,
Tobias Hansen

Information forwarded to debian-bugs-dist@lists.debian.org, Ruben Molina <rmolina@udea.edu.co>:
Bug#637488; Package t1lib. (Sat, 04 Aug 2012 14:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ruben Molina <rmolina@udea.edu.co>. (Sat, 04 Aug 2012 14:48:03 GMT) (full text, mbox, link).

Message #40 received at 637488@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Tobias Hansen <tobias.han@gmx.de>
Cc: debian-release@lists.debian.org, 637488@bugs.debian.org
Subject: Re: What to do about t1lib / RC #637488
Date: Sat, 4 Aug 2012 16:45:23 +0200
On Sat, Aug 04, 2012 at 12:37:23AM +0200, Tobias Hansen wrote:
> Hi,
> 
> t1lib has no upstream, but a number of security vulnerabilities and reverse dependencies.
> 
> We need to know if #637488 can be ignored for wheezy or if we should go for removal and file bugs against the reverse dependencies.

We fixed up the known security issues in DSAs and while the code base is
admittedly old and crusty, I don't see this issue as pressing that the removal
cannot wait until Jessie.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Ruben Molina <rmolina@udea.edu.co>:
Bug#637488; Package t1lib. (Sat, 04 Aug 2012 15:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Ruben Molina <rmolina@udea.edu.co>. (Sat, 04 Aug 2012 15:15:03 GMT) (full text, mbox, link).

Message #45 received at 637488@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: Tobias Hansen <tobias.han@gmx.de>, debian-release@lists.debian.org, 637488@bugs.debian.org
Subject: Re: What to do about t1lib / RC #637488
Date: Sat, 04 Aug 2012 16:09:38 +0100
user release.debian.org@packages.debian.org
usertag 637488 + wheezy-can-defer
tag 637488 + wheezy-ignore
thanks

On Sat, 2012-08-04 at 16:45 +0200, Moritz Mühlenhoff wrote:
> On Sat, Aug 04, 2012 at 12:37:23AM +0200, Tobias Hansen wrote:
> > t1lib has no upstream, but a number of security vulnerabilities and reverse dependencies.
> > 
> > We need to know if #637488 can be ignored for wheezy or if we should go for removal and file bugs against the reverse dependencies.

There already are bugs against (at least some of) the reverse
dependencies.  I see Pino just set those as blockers against the RM bug;
thanks!

> We fixed up the known security issues in DSAs and while the code base is
> admittedly old and crusty, I don't see this issue as pressing that the removal
> cannot wait until Jessie.

Looking at the tracker and the upload history - ack; thanks.

Regards,

Adam

Added tag(s) wheezy-ignore. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 04 Aug 2012 15:15:05 GMT) (full text, mbox, link).

Added tag(s) squeeze-ignore. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Wed, 06 Nov 2013 02:33:22 GMT) (full text, mbox, link).

Changed Bug title to 't1lib: history of security issues, unmaintained upstream, unsupportable' from 't1lib: many severe security issues, unmaintained upstream, unsupportable' Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sun, 23 Mar 2014 16:39:05 GMT) (full text, mbox, link).

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Fri, 02 May 2014 12:27:13 GMT) (full text, mbox, link).

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Fri, 02 May 2014 12:27:14 GMT) (full text, mbox, link).

Message #56 received at 637488-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 131336-done@bugs.debian.org,637488-done@bugs.debian.org,653635-done@bugs.debian.org,722843-done@bugs.debian.org,700415-done@bugs.debian.org,
Cc: t1lib@packages.debian.org, t1lib@packages.qa.debian.org
Subject: Bug#744881: Removed package(s) from unstable
Date: Fri, 02 May 2014 12:24:10 +0000
Version: 5.1.2-4+rm

Dear submitter,

as the package t1lib has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/744881

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Apr 2015 07:56:58 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 02:32:40 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.