Package: transmission Version: 1.61-2 Severity: important Tags: patch security
Hello, while looking around for things using libevent, I stumbled upon transmission which contains and uses an embedded code copy of the libevent library. I've put together a patch to get rid of it. To test it: - get rid of third-party/libevent - apply that patch (minus debian/changelog) - run ./autogen.sh to update build system as needed. There you go. Note the additional Depends on libevent*, so it looks like it's actually working (although I didn't do any runtime checks). Note that the unstable version doesn't seem to build with stable's libevent (which is called ancient by upstream and contains some huge bugs, as seen with used u_char and ssize_t without having them declared in the first place), so you might need to take extra care when backporting. You probably want to make LIBEVENT_*FLAGS handling prettier before sending it upstream, but oh well, I'm leaving a bit of work to you. :) I'm putting secure-testing-team@ in X-Debbugs-Cc (as requested in http://wiki.debian.org/EmbeddedCodeCopies). Former versions may have the same issue. Cheers, -- Cyril Brulebois -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
