Hi, On 09/12/16 09:27, Uwe Kleine-König wrote: > Hello, > > there are two source packages (in sid, found via codesearch.d.n) that > include embedded copies of libupnp: djmount and mediatomb (maintainers > on Cc:). > > djmount build-depends on libupnp-dev and calls configure with > --with-external-libupnp, so fixing libupnp should be good enough here. > > mediatomb doesn't build-depend on libupnp-dev and looking at > https://buildd.debian.org/status/fetch.php?pkg=mediatomb&arch=armhf&ver=0.12.1-47-g7ab7616-1%2Bb4&stamp=1460993907 > it seems that the embedded copy is used, so mediatomb needs additional > handling to fix the bug. Also the copy is vulnerable.
The Fedora maintainer asked upstream about it a while back: https://sourceforge.net/p/mediatomb/bugs/114/ I have not checked how extensive the patching is, but I expect unbundling libupnp from mediatomb would be a lot of work which noone has volunteered to do. Upstream appears to be dead which is why they haven't fixed it. Thanks, James
signature.asc
Description: OpenPGP digital signature
