Although wml has an embedded copy of Libtool's ltdl.c, it is not affected by this bug.
The possibly vulnerable file is located in a unused directory containing mp4h source code. Mp4h has its own source package, which builds the binary package of the same name. Wml uses the executable provided by the package mp4h, instead of building it by itself. I also checked this by comparing file access times before and after I build the package. The source package wml has a lot of unused files, this could be documented in README.Source. Since Debian ships a repackaged wml anyway, these files could also be removed from the tarball. An other option is simply closing this bug. This decision is up to the maintainer, I just change the severity and remove the security tag. Regards Carsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100216223748.gk24...@foghorn.stateful.de
