Bug#842093: embedded copies of libupnp
Uwe Kleine-König
uwe at kleine-koenig.org
Fri Dec 9 13:55:52 UTC 2016
Hello,
On 12/09/2016 11:28 AM, Sebastian Ramacher wrote:
> On 2016-12-09 10:16:25, James Cowgill wrote:
>> On 09/12/16 09:27, Uwe Kleine-König wrote:
>>> there are two source packages (in sid, found via codesearch.d.n) that
>>> include embedded copies of libupnp: djmount and mediatomb (maintainers
>>> on Cc:).
>>>
>>> djmount build-depends on libupnp-dev and calls configure with
>>> --with-external-libupnp, so fixing libupnp should be good enough here.
>>>
>>> mediatomb doesn't build-depend on libupnp-dev and looking at
>>> https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
>>> it seems that the embedded copy is used, so mediatomb needs additional
>>> handling to fix the bug. Also the copy is vulnerable.
>>
>> The Fedora maintainer asked upstream about it a while back:
>> https://sourceforge.net/p/mediatomb/bugs/114/
>>
>> I have not checked how extensive the patching is, but I expect
>> unbundling libupnp from mediatomb would be a lot of work which noone
>> has volunteered to do.
>>
>> Upstream appears to be dead which is why they haven't fixed it.
>
> Maybe it's time to get mediatomb removed. It was not part of jessie and in its
> current state it will not be part of stretch.
mediatomb already has a grave bug that lists a number of CVEs that
affect the embedded copy of libupnp (#841224). It already mentions
CVE-2016-8863. Also mediatomb isn't in testing as of now.
Best regards
Uwe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20161209/88c313ca/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list