Secure testing team - May 2009 - Bug#529372: transmission: Contains and uses embedded code copy: libevent

Package: transmission
Version: 1.61-2
Severity: important
Tags: patch security

Hello,

while looking around for things using libevent, I stumbled upon
transmission which contains and uses an embedded code copy of the
libevent library. I''ve put together a patch to get rid of it. To test
it:
 - get rid of third-party/libevent
 - apply that patch (minus debian/changelog)
 - run ./autogen.sh to update build system as needed.

There you go. Note the additional Depends on libevent*, so it looks like
it''s actually working (although I didn''t do any runtime
checks).

Note that the unstable version doesn''t seem to build with
stable''s
libevent (which is called ancient by upstream and contains some huge
bugs, as seen with used u_char and ssize_t without having them declared
in the first place), so you might need to take extra care when
backporting.

You probably want to make LIBEVENT_*FLAGS handling prettier before
sending it upstream, but oh well, I''m leaving a bit of work to you. :)

I''m putting secure-testing-team@ in X-Debbugs-Cc (as requested in
http://wiki.debian.org/EmbeddedCodeCopies). Former versions may have the
same issue.

Cheers,
-- 
Cyril Brulebois

Some minutes ago:
>  - apply that patch (minus debian/changelog)
Try the *attached* one.
-- 
Cyril Brulebois

Yes, I can. (And sorry for the noise, really.)
-- 
Cyril Brulebois
-------------- next part --------------
A non-text attachment was scrubbed...
Name: transmission-libevent.diff
Type: text/x-diff
Size: 3873 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090519/abe37401/attachment.diff>