Bug#842093: embedded copies of libupnp
Sebastian Ramacher
sramacher at debian.org
Fri Dec 9 10:28:53 UTC 2016
On 2016-12-09 10:16:25, James Cowgill wrote:
> Hi,
>
> On 09/12/16 09:27, Uwe Kleine-König wrote:
> > Hello,
> >
> > there are two source packages (in sid, found via codesearch.d.n) that
> > include embedded copies of libupnp: djmount and mediatomb (maintainers
> > on Cc:).
> >
> > djmount build-depends on libupnp-dev and calls configure with
> > --with-external-libupnp, so fixing libupnp should be good enough here.
> >
> > mediatomb doesn't build-depend on libupnp-dev and looking at
> > https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
> > it seems that the embedded copy is used, so mediatomb needs additional
> > handling to fix the bug. Also the copy is vulnerable.
>
> The Fedora maintainer asked upstream about it a while back:
> https://sourceforge.net/p/mediatomb/bugs/114/
>
> I have not checked how extensive the patching is, but I expect
> unbundling libupnp from mediatomb would be a lot of work which noone
> has volunteered to do.
>
> Upstream appears to be dead which is why they haven't fixed it.
Maybe it's time to get mediatomb removed. It was not part of jessie and in its
current state it will not be part of stretch.
Cheers
--
Sebastian Ramacher
More information about the pkg-multimedia-maintainers
mailing list