Audit of Debian/Ubuntu for unfixed vulnerabilities because of embedded code copies
Manuel A. Fernandez Montecelo
manuel.montezelo at gmail.com
Tue Jul 3 10:04:47 UTC 2012
2012/7/2 Silvio Cesare <silvio.cesare at gmail.com>:
> Now Debian's database of tracked code copies reports that libmikmod is
> copied in sdl-mixer1.2. Looking at the package, there is a zip file of
> libmikmod 3.1.12 in the tree containing the potentially vulnerable load_it.c
> source code. I tried a build to see if this zip was unpacked, but it doesn't
> appear to be. Is this library ever used? If it's not being used, then there
> is no vuln. If it's being used, then you might want to check that a patch
> has been applied.
>
> Please cc me on any progress or questions.
As you probably know, the upstream source code in many source Debian
packages contain copies of other libraries, like tinyxml or image and
sound formats. Fortunately in some cases (including this one), those
are only used in the case that there's no such library installed in
the system at build time.
We pull libmikmod in debian/control, so the configure scripts finds it
and builds sdl-mixer1.2 with support for the system's libmikmod
instead of its own copy:
https://buildd.debian.org/status/fetch.php?pkg=sdl-mixer1.2&arch=i386&ver=1.2.12-2&stamp=1335919854
checking for libmikmod-config... /usr/bin/libmikmod-config
checking for libmikmod - version >= 3.1.10... yes
So I think that we're safe :-)
Thanks for the program and the explanation!
Cheers.
More information about the Pkg-sdl-maintainers
mailing list