Control: found -1 14.9.0~ds0-1 Control: fixed -1 17.7.0~ds0-1 Hi,
On 31/07/17 06:45, Jonas Smedegaard wrote: > Source: smplayer > Version: 17.7.0~ds0-1 > Severity: grave > Tags: security > Justification: user security hole > > smplayer includes code in src/basegui.cpp to download and (I guess) > execute javascript code for parsing youtube paths. The download URL is > http://updates.smplayer.info/yt.js which is insecure and therefore I > suspect easy to replace with evil code. If I am reading the code correctly, it looks like the javascript download code is gated on the YT_USE_YTSIG define which is disabled in the version in buster/sid: https://sources.debian.net/src/smplayer/17.7.0~ds0-1/src/smplayer.pro/#L439 However, it is enabled in stretch and jessie (with a slightly different define in jessie): https://sources.debian.net/src/smplayer/16.11.0~ds0-1/src/smplayer.pro/#L442 https://sources.debian.net/src/smplayer/14.9.0~ds0-1/src/smplayer.pro/#L339 So I think this bug only affects those versions. Thanks, James
signature.asc
Description: OpenPGP digital signature
