Hello, On 12/09/2016 11:28 AM, Sebastian Ramacher wrote: > On 2016-12-09 10:16:25, James Cowgill wrote: >> On 09/12/16 09:27, Uwe Kleine-König wrote: >>> there are two source packages (in sid, found via codesearch.d.n) that >>> include embedded copies of libupnp: djmount and mediatomb (maintainers >>> on Cc:). >>> >>> djmount build-depends on libupnp-dev and calls configure with >>> --with-external-libupnp, so fixing libupnp should be good enough here. >>> >>> mediatomb doesn't build-depend on libupnp-dev and looking at >>> https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907 >>> it seems that the embedded copy is used, so mediatomb needs additional >>> handling to fix the bug. Also the copy is vulnerable. >> >> The Fedora maintainer asked upstream about it a while back: >> https://sourceforge.net/p/mediatomb/bugs/114/ >> >> I have not checked how extensive the patching is, but I expect >> unbundling libupnp from mediatomb would be a lot of work which noone >> has volunteered to do. >> >> Upstream appears to be dead which is why they haven't fixed it. > > Maybe it's time to get mediatomb removed. It was not part of jessie and in its > current state it will not be part of stretch.
mediatomb already has a grave bug that lists a number of CVEs that affect the embedded copy of libupnp (#841224). It already mentions CVE-2016-8863. Also mediatomb isn't in testing as of now. Best regards Uwe
signature.asc
Description: OpenPGP digital signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
