Bug#901534: mp4h statically links libpcre

Thu, 14 Jun 2018 07:36:41 -0700 

Package: mp4h
Version: 1.3.1-16
Severity: important
Tags: patch
User: helm...@debian.org
Usertags: rebootstrap

mp4h statically links libpcre. That's a pretty bad idea. pcre has a
history of security issues and having to rebuild mp4h for security is
not a nice property. It also raises the question whether mp4h should
have a Built-Using Header. Half of the Installed-Size is contributed by
libpcre. Finally using the build architecture libpcre in a host
architecture application breaks cross compilation.

Quite simply, I propose linking mp4h dynamically to solve all of these
issues. Please consider applying the attached patch.

Helmut

diff --minimal -Nru mp4h-1.3.1/debian/changelog mp4h-1.3.1/debian/changelog
--- mp4h-1.3.1/debian/changelog 2016-08-13 00:17:10.000000000 +0200
+++ mp4h-1.3.1/debian/changelog 2018-06-14 13:50:26.000000000 +0200
@@ -1,3 +1,10 @@
+mp4h (1.3.1-16.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Link libpcre dynamically. (Closes: #-1)
+
+ -- Helmut Grohne <hel...@subdivi.de>  Thu, 14 Jun 2018 13:50:26 +0200
+
 mp4h (1.3.1-16) unstable; urgency=medium
 
   * Finetune regular expression for replacing <timer/> output in HTML
diff --minimal -Nru mp4h-1.3.1/debian/patches/use-system-pcre.diff 
mp4h-1.3.1/debian/patches/use-system-pcre.diff
--- mp4h-1.3.1/debian/patches/use-system-pcre.diff      2016-08-12 
23:48:06.000000000 +0200
+++ mp4h-1.3.1/debian/patches/use-system-pcre.diff      2018-06-14 
13:50:15.000000000 +0200
@@ -37,19 +37,15 @@
  mp4h_LDFLAGS = -export-dynamic
  endif
 -mp4h_LDADD   = -lm $(top_builddir)/lib/libmp4h.a 
$(top_builddir)/pcre/libpcre.a @LIBINTL@ $(MODULE_LDADD)
-+mp4h_LDADD   = -lm $(top_builddir)/lib/libmp4h.a 
@DEB_BUILD_MULTIARCH@/libpcre.a @LIBINTL@ $(MODULE_LDADD)
++mp4h_LDADD   = -lm $(top_builddir)/lib/libmp4h.a -lpcre @LIBINTL@ 
$(MODULE_LDADD)
  
  include_HEADERS = mp4h.h
  noinst_HEADERS  = builtin.h
 Index: mp4h/configure.ac
 ===================================================================
 --- mp4h.orig/configure.ac     2013-09-25 01:46:25.984808776 +0200
 +++ mp4h/configure.ac  2013-09-25 01:46:26.008809186 +0200
-@@ -140,10 +140,10 @@
- dnl  This line is needed for Debian builds
- AC_SUBST(CFLAGS)
- AC_SUBST([INTLINCL], [])
-+AC_SUBST([DEB_BUILD_MULTIARCH], [/usr/lib/`dpkg-architecture 
-qDEB_BUILD_MULTIARCH`])
+@@ -143,7 +143,6 @@
  
  AC_CONFIG_FILES([
     Makefile

Reply via email to