Bug#842093: embedded copies of libupnp
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 10 09:43:53 UTC 2016
Hi Sebastian,
On Fri, Dec 09, 2016 at 11:28:53AM +0100, Sebastian Ramacher wrote:
> On 2016-12-09 10:16:25, James Cowgill wrote:
> > Hi,
> >
> > On 09/12/16 09:27, Uwe Kleine-König wrote:
> > > Hello,
> > >
> > > there are two source packages (in sid, found via codesearch.d.n) that
> > > include embedded copies of libupnp: djmount and mediatomb (maintainers
> > > on Cc:).
> > >
> > > djmount build-depends on libupnp-dev and calls configure with
> > > --with-external-libupnp, so fixing libupnp should be good enough here.
> > >
> > > mediatomb doesn't build-depend on libupnp-dev and looking at
> > > https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
> > > it seems that the embedded copy is used, so mediatomb needs additional
> > > handling to fix the bug. Also the copy is vulnerable.
> >
> > The Fedora maintainer asked upstream about it a while back:
> > https://sourceforge.net/p/mediatomb/bugs/114/
> >
> > I have not checked how extensive the patching is, but I expect
> > unbundling libupnp from mediatomb would be a lot of work which noone
> > has volunteered to do.
> >
> > Upstream appears to be dead which is why they haven't fixed it.
>
> Maybe it's time to get mediatomb removed. It was not part of jessie and in its
> current state it will not be part of stretch.
I think this makes sense. Can you request the removal from unstable?
Regards,
Salvatore
More information about the pkg-multimedia-maintainers
mailing list