Main Inclusion Report for gfxboot

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/g/gfxboot/, available for amd64 and i386. Other architectures not supported.

2. Rationale:

   • Implementation of CdBootloader specification.

3. Security:

   • No CVE entries.
   • No Secunia history.
   • Runs in the context of the boot loader (currently only syslinux).
   • Source code review:

     • mkbootmsg.c: line 1876 and further looks like a buffer overflow that can be controlled by a malicious theme; bug was filed.

4. Quality assurance:

   • Package works out of the box without configuration.

   • Packaging from Kanotix, who do not seem to have a bug tracking system.

   • Active upstream.

   • No critical bugs in upstream bug tracker

   • Does not deal with exotic hardware which we cannot support.

5. Standards compliance:

   • Meets the FHS, Debian Policy

   • Standard cdbs packaging, standard patch system.

6. Dependencies:

   • All in main.

Reviewers

MartinPitt: buffer overflows should be corrected, otherwise it's fine.