Bug#842093: embedded copies of libupnp

James Cowgill jcowgill at debian.org
Thu Dec 29 15:36:29 UTC 2016


Hi,

On 10/12/16 09:43, Salvatore Bonaccorso wrote:
> On Fri, Dec 09, 2016 at 11:28:53AM +0100, Sebastian Ramacher wrote:
>> On 2016-12-09 10:16:25, James Cowgill wrote:
>>> On 09/12/16 09:27, Uwe Kleine-König wrote:
>>>> there are two source packages (in sid, found via codesearch.d.n) that
>>>> include embedded copies of libupnp: djmount and mediatomb (maintainers
>>>> on Cc:).
>>>>
>>>> djmount build-depends on libupnp-dev and calls configure with
>>>> --with-external-libupnp, so fixing libupnp should be good enough here.
>>>>
>>>> mediatomb doesn't build-depend on libupnp-dev and looking at
>>>> https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907
>>>> it seems that the embedded copy is used, so mediatomb needs additional
>>>> handling to fix the bug. Also the copy is vulnerable.
>>>
>>> The Fedora maintainer asked upstream about it a while back:
>>> https://sourceforge.net/p/mediatomb/bugs/114/
>>>
>>> I have not checked how extensive the patching is, but I expect
>>> unbundling libupnp from mediatomb would be a lot of work which noone
>>> has volunteered to do.
>>>
>>> Upstream appears to be dead which is why they haven't fixed it.
>>
>> Maybe it's time to get mediatomb removed. It was not part of jessie and in its
>> current state it will not be part of stretch.
> 
> I think this makes sense. Can you request the removal from unstable?

I've just discovered this fork of mediatomb:
https://github.com/v00d00/mediatomb

It seems to be quite active and they've already removed the embedded
copy of libupnp (although it requires the unreleased 1.8 version). Maybe
we could switch to that instead or removing it? I can have a look.

James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20161229/cd06726e/attachment.sig>


More information about the pkg-multimedia-maintainers mailing list