GLSA 200710-12 is listed as applying to media-libs/t1lib < 5.0.2-r1. However, version 1.3.1 is still in portage and has numerous dependencies. If it is vulnerable then it needs to be fixed. If it is not vulnerable then the GLSA should be patched so that it doesn't come up as a false alarm. Do we need to add to the glsa?: <unaffected range="lt">5.0</unaffected> Reproducible: Always
fonts please advise wether 1.3.1 is affected?
The same code is present in t1lib-1.3.1. Do we have anything depending on the old version?
No, it doesn't look like it. I've masked it for removal. dirtyepic@tycho ~ $ qgrep -N t1lib-1 app-misc/gfontview-0.5.0-r6:DEPEND=">=media-libs/t1lib-1.0.1 app-text/xdvik-22.40y-r2:DEPEND=">=media-libs/t1lib-1.3 media-gfx/swftools-0.7.0:DEPEND=">=media-libs/t1lib-1.3.1 media-gfx/swftools-0.8.0:DEPEND=">=media-libs/t1lib-1.3.1 media-gfx/swftools-0.8.1:DEPEND=">=media-libs/t1lib-1.3.1 media-libs/t1lib-1.3.1:# $Header: /var/cvsroot/gentoo-x86/media-libs/t1lib/t1lib-1.3.1.ebuild,v 1.29 2007/01/05 08:35:17 flameeyes Exp $ sci-visualization/grace-5.1.20: >=media-libs/t1lib-1.3.1 sci-visualization/grace-5.1.21: >=media-libs/t1lib-1.3.1
Thanks Ryan and Richard. I'll close this one as INVALID since we don't have a policy regarding older vulnerable versions in the tree.
