[Secure-testing-team] Bug#529372: transmission: Contains and uses embedded code copy: libevent
Cyril Brulebois
cyril.brulebois at kerlabs.com
Tue May 19 00:28:50 UTC 2009
Package: transmission
Version: 1.61-2
Severity: important
Tags: patch security
Hello,
while looking around for things using libevent, I stumbled upon
transmission which contains and uses an embedded code copy of the
libevent library. I've put together a patch to get rid of it. To test
it:
- get rid of third-party/libevent
- apply that patch (minus debian/changelog)
- run ./autogen.sh to update build system as needed.
There you go. Note the additional Depends on libevent*, so it looks like
it's actually working (although I didn't do any runtime checks).
Note that the unstable version doesn't seem to build with stable's
libevent (which is called ancient by upstream and contains some huge
bugs, as seen with used u_char and ssize_t without having them declared
in the first place), so you might need to take extra care when
backporting.
You probably want to make LIBEVENT_*FLAGS handling prettier before
sending it upstream, but oh well, I'm leaving a bit of work to you. :)
I'm putting secure-testing-team@ in X-Debbugs-Cc (as requested in
http://wiki.debian.org/EmbeddedCodeCopies). Former versions may have the
same issue.
Cheers,
--
Cyril Brulebois
More information about the Secure-testing-team
mailing list