251546 – app-emulation/vmware-server-console bundles internal copies of expat-1.95.7 and libpng-1.2.22

Bug 251546 - app-emulation/vmware-server-console bundles internal copies of expat-1.95.7 and libpng-1.2.22

Summary: app-emulation/vmware-server-console bundles internal copies of expat-1.95.7 a...

Status:	RESOLVED LATER

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo VMWare Bug Squashers [disabled]

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	bundled-libs CVE-2009-3720
	Show dependency tree

Reported:	2008-12-18 21:05 UTC by Diego Elio Pettenò (RETIRED)
Modified:	2009-08-21 11:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2008-12-18 21:05:56 UTC

yamato ~ # ./test-expat /opt/vmware/server/console/lib/lib/libexpat.so.0/libexpat.so.0
expat version in /opt/vmware/server/console/lib/lib/libexpat.so.0/libexpat.so.0: expat_1.95.7
yamato ~ # ./test-libpng /opt/vmware/server/console/lib/lib/libpng12.so.0/libpng12.so.0
libpng version in /opt/vmware/server/console/lib/lib/libpng12.so.0/libpng12.so.0: 1.2.22

Comment 1 Mike Auty (RETIRED) gentoo-dev

2008-12-18 22:22:01 UTC

That's true, but I'm not sure what best I can do about it.  Vmware mixes proprietary libraries with system libraries.  When the versions mismatch, they fall back to their bundled versions.  If I remove those libraries, it's likely to cause horrible breakages in the future.  As to security, vmware periodically (and usually at the most frustrating times) release new versions that include fixes for such bundled software.

Have you any creative ideas for solving the problem, or shall I just mark this as WONTFIX?