[Pkg-gtkpod-devel] [Pkg-utopia-maintainers] Bug#658541: upower: Shouldn't depend on libimobiledevice (that depends on usbmuxd) causing security issue and bloat
Michael Biebl
biebl at debian.org
Fri Feb 3 21:10:51 UTC 2012
reassign 658541 libimobiledevice2
thanks
On 03.02.2012 21:47, Touko Korpela wrote:
> Package: upower
> Version: 0.9.15-1
> Severity: normal
>
>
> What is the reason upower depends on libimobiledevice2? That library depends
> on usbmuxd (daemon which was vulnerable to malicious USB devices,
> CVE-2012-0065).
>
> In my opinion, upower shouldn't require installation of Apple-specific
> libraries and daemons for all users. So recommends at most, or suggest.
That's not how shared libraries work. You can't depend on them
optionally unless you use them via dlopen, which brings other sorts of
issues.
That said, usbmuxd is only started on demand, when such hardware is
actually plugged in, so it doesn't take up any ressources and
CVE-2012-0065 has been fixed very promptly, fwiw.
I don't know if it is feasible, if libimobiledevice2 could lower the
dependency on usbmuxd, but in any case this should be handled there and
I'll let their maintainers decide.
So reassigning.
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gtkpod-devel/attachments/20120203/ddb8b82a/attachment.pgp>
More information about the Pkg-gtkpod-devel
mailing list