On 04.06.2018 18:47 +0100, Reinhard Tartler wrote:
Ok, thanks. That sounds like a good plan!
Reinhard
On Sun, Jun 3, 2018, 19:49 Ricardo Villalba <smplayer....@gmail.com
<mailto:smplayer....@gmail.com>> wrote:
I don't know yet. I guess I'll have to look for another simple web
server.
2018-06-03 23:15 GMT+02:00 Reinhard Tartler <siret...@gmail.com
<mailto:siret...@gmail.com>>:
> Thanks for the tip, Ricardo!
>
> It appears that disabling that define still compiles (and installs)
> the vulnerable program. I'll upload a new package that not only
> disables that define, but also modifies the top-level Makefile to no
> longer build and install mongoose:
>
>
https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
>
> Let me know what you think and what do you intend to do upstream to
> resolve this issue.
>
> Thanks,
> Reinhard
> On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba
<smplayer....@gmail.com <mailto:smplayer....@gmail.com>> wrote:
>>
>> Hello.
>>
>> I wasn't aware of those vulnerabilities in mongoose.
>> It's possible to disable the support for chromecast in smplayer
>> commenting the line DEFINES += CHROMECAST_SUPPORT in
src/smplayer.pro <http://smplayer.pro>
>>
>> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siret...@gmail.com
<mailto:siret...@gmail.com>>:
>> > Hi Richardo,
>> >
>> > I'm not sure if you have seen this email, Moritz from the debian
>> > security team is reporting a release-critical bug in smplayer.
More
>> > specifically, smplayer appears to be using the mongoose webserver
>> > implementation as in implementation detail of the chromecast
>> > component.
>> >
>> > Having to remove smplayer would be most unfortunate. I checked the
>> > upstream commits at
>> > https://github.com/cesanta/mongoose/commits/master, but apparently
>> > there is no fix available yet. Maybe I'm missing something but
if not,
>> > my question to you is whether we can easily disable the chromecast
>> > component from the smplayer build?
>> >
>> > Please let me know your thoughts on this.
>> >
>> > Best,
>> > Reinhard
>> >
>> > ---------- Forwarded message ---------
>> > From: Moritz Muehlenhoff <j...@debian.org <mailto:j...@debian.org>>
>> > Date: Thu, May 17, 2018 at 12:51 PM
>> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
>> > To: Debian Bug Tracking System <sub...@bugs.debian.org
<mailto:sub...@bugs.debian.org>>
>> >
>> >
>> > Source: smplayer
>> > Severity: grave
>> > Tags: security
>> >
>> > smplayer seems to embed Cesenta Mongoose:
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
>> >
>> > Cheers,
>> > Moritz
>> >
>> > _______________________________________________
>> > pkg-multimedia-maintainers mailing list
>> > pkg-multimedia-maintain...@alioth-lists.debian.net
<mailto:pkg-multimedia-maintain...@alioth-lists.debian.net>
>> >
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
>> >
>> >
>> > --
>> > regards,
>> > Reinhard
>>
>>
>>
>> --
>> RVM
>
>
>
> --
> regards,
> Reinhard
--
RVM
Hi,
This is not fixed for me. I made patch with add latest Mongoose version
which included fixed for all of this cve's.
It pushed now to salsa.
--
.''`. Mateusz Łukasik
: :' : https://l0calh0st.pl
`. `' Debian Member - mat...@linuxmint.pl
`- GPG: D93B 0C12 C8D0 4D7A AFBC FA27 CCD9 1D61 11A0 6851
