Bug#842093: embedded copies of libupnp
James Cowgill
jcowgill at debian.org
Fri Dec 9 10:16:25 UTC 2016
Hi,
On 09/12/16 09:27, Uwe Kleine-König wrote:
> Hello,
>
> there are two source packages (in sid, found via codesearch.d.n) that
> include embedded copies of libupnp: djmount and mediatomb (maintainers
> on Cc:).
>
> djmount build-depends on libupnp-dev and calls configure with
> --with-external-libupnp, so fixing libupnp should be good enough here.
>
> mediatomb doesn't build-depend on libupnp-dev and looking at
> https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
> it seems that the embedded copy is used, so mediatomb needs additional
> handling to fix the bug. Also the copy is vulnerable.
The Fedora maintainer asked upstream about it a while back:
https://sourceforge.net/p/mediatomb/bugs/114/
I have not checked how extensive the patching is, but I expect
unbundling libupnp from mediatomb would be a lot of work which noone
has volunteered to do.
Upstream appears to be dead which is why they haven't fixed it.
Thanks,
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20161209/1b056d40/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list