Ticket #2070 (closed defect: notabug)

Opened 3 years ago

Last modified 3 years ago

Is it possible to drop audioop dependency from TA

Reported by: alsroot Owned by: walter
Priority: Unspecified by Maintainer Milestone: Unspecified by Release Team
Component: Turtleart Version: Unspecified
Severity: Unspecified Keywords:
Cc: Distribution/OS: openSUSE
Bug Status: Unconfirmed

Description

There is a vulnerability in audioop
 http://vigilance.fr/vulnerability/Python-buffer-overflows-of-audioop-9708.
And for example openSUSE droped audioop from python package, most likely they will revert it after fixing issue. But maybe it will be easier to just remove audioop dependency from TA?

Change History

Changed 3 years ago by walter

Does TA have a dependency on audioop? I couldn't find it. Is it pulled in by gst?

Changed 3 years ago by alsroot

  • status changed from new to closed
  • resolution set to notabug

Sorry, it was in TA-83...

Changed 3 years ago by walter

I just checked the tar file for 0.83 and there is no audioop.so (nor do I think it would have been called by so recent a version). I wonder if this is an example of install not removing old files?

Changed 3 years ago by alsroot

talogo.py from v83 contains "import audioop" but looks like doesn't use it anymore.

Changed 3 years ago by walter

Must have before I cleaned up the spurious imports... Thanks for tracking this down.

Note: See TracTickets for help on using tickets.