Bug#870233: marked as done (smplayer: executes javascript code downloaded from insecure URL)

Debian Bug Tracking System Sun, 03 Jun 2018 13:51:51 -0700

Your message dated Sun, 3 Jun 2018 16:48:29 -0400
with message-id 
<caj0ccez-g+-7xxmhhzhbmf7oczpxscrz9aomwrokaxj8kwf...@mail.gmail.com>
and subject line Re: Bug#870233: smplayer: executes javascript code downloaded 
from insecure URL
has caused the Debian Bug report #870233,
regarding smplayer: executes javascript code downloaded from insecure URL
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
870233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870233
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: smplayer
Version: 17.7.0~ds0-1
Severity: grave
Tags: security
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

smplayer includes code in src/basegui.cpp to download and (I guess)
execute javascript code for parsing youtube paths.  The download URL is
http://updates.smplayer.info/yt.js which is insecure and therefore I
suspect easy to replace with evil code.


 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAll+w9sACgkQLHwxRsGg
ASEgTA//QMLa7jZwjXz3F1r+2NkukhdvQ5QQyZsXbk8sfHyOnCpHJmy2fqZhudmx
uq3hhOyCD1SVGLTGp0YURWe8ScwhebjqXfvtNIV4Xzz7oGkXGqWeBaYuYuEyvOF+
UtTDmKtg2ZbvbOjyuq4krEr8sKEH37WJn02esrDsrXSGrXmz5I42+pAlau5/vecb
NaHmcBs+jDKkLkoziKn3CSauqmmHXIn58ECO/cLD1ziPYGuZDjjgafUKxhQfDcKz
v5S/NbleKzWIMbgicpcXoru3FE88iBs8rKW0X8o0rg2AYXlvYjoTKFj3SAv5MYiv
Tlo9TgT7iWNXb2yK0FuxDDeG/FaM5g741CAWfAj/j9qTEF1E2Zf3F+YOrReFtMdw
szl2q2kw6vkmQzVA+0jBZIIw2VJCuMyDBxV5aDEEyaaw7Mc0l1rAFxHPcdq/Os/Q
UkW38xn5M0GMYOZAMOu55ymP6f5StrOTRqURUGCxY3ZcVTBSRMzG57ds8WlkcGa0
Rxb8EK/nCjAkbye7k1g9ajYuYEbYqdknBLZs9ngAEPF/CmadUmv7a+dfwAhfjy99
vXBiyJxNrwHwMZqqbZ7GYkplZOap5cuthJsA127bd9M4935ZmwgGY6hrx3+y4b5J
9FNO/9x1etJ2+skGjY+1t9vDBOuhqtE6VlR0i0N1bMKkxKM7J2w=
=ZQlT
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Version: 17.11.2~ds0-1

Hi Jonas,

thank you for the report and sorry for the late reply,

On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard <d...@jones.dk> wrote:

> smplayer includes code in src/basegui.cpp to download and (I guess)
> execute javascript code for parsing youtube paths.  The download URL is
> http://updates.smplayer.info/yt.js which is insecure and therefore I
> suspect easy to replace with evil code.

Apparently, this was already fixed upstream quite some time ago in
package version 17.11.2~ds0-1 without mentioning this in
debian/changelog. I'm therefore closing this bug manually.

Best regards,
reinhard

--- End Message ---

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#870233: marked as done (smplayer: executes javascript code downloaded from insecure URL)

Reply via email to