Thanks for the tip, Ricardo! It appears that disabling that define still compiles (and installs) the vulnerable program. I'll upload a new package that not only disables that define, but also modifies the top-level Makefile to no longer build and install mongoose:
https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch Let me know what you think and what do you intend to do upstream to resolve this issue. Thanks, Reinhard On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <smplayer....@gmail.com> wrote: > > Hello. > > I wasn't aware of those vulnerabilities in mongoose. > It's possible to disable the support for chromecast in smplayer > commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro > > 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siret...@gmail.com>: > > Hi Richardo, > > > > I'm not sure if you have seen this email, Moritz from the debian > > security team is reporting a release-critical bug in smplayer. More > > specifically, smplayer appears to be using the mongoose webserver > > implementation as in implementation detail of the chromecast > > component. > > > > Having to remove smplayer would be most unfortunate. I checked the > > upstream commits at > > https://github.com/cesanta/mongoose/commits/master, but apparently > > there is no fix available yet. Maybe I'm missing something but if not, > > my question to you is whether we can easily disable the chromecast > > component from the smplayer build? > > > > Please let me know your thoughts on this. > > > > Best, > > Reinhard > > > > ---------- Forwarded message --------- > > From: Moritz Muehlenhoff <j...@debian.org> > > Date: Thu, May 17, 2018 at 12:51 PM > > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose > > To: Debian Bug Tracking System <sub...@bugs.debian.org> > > > > > > Source: smplayer > > Severity: grave > > Tags: security > > > > smplayer seems to embed Cesenta Mongoose: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 > > > > Cheers, > > Moritz > > > > _______________________________________________ > > pkg-multimedia-maintainers mailing list > > pkg-multimedia-maintain...@alioth-lists.debian.net > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers > > > > > > -- > > regards, > > Reinhard > > > > -- > RVM -- regards, Reinhard
