Bug#898943: Multiple vulnerabiliities in Mongoose
I'm already using mongoose 6.11 in the svn of SMPlayer. So far it seems to work fine for me. https://app.assembla.com/spaces/smplayer/subversion/commits/9030 2018-06-07 15:08 GMT+02:00 Reinhard Tartler : > On Thu, Jun 7, 2018 at 6:20 AM Mateusz Łukasik wrote: > >> This is not fixed for me. I made patch with add latest Mongoose version >> which included fixed for all of this cve's. >> It pushed now to salsa. >> >> -- > > Thank you! > > I see that you've added > https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch > - which is a pretty big patch. I wouldn't know how to test it (I don't > use that feature) or even verify that the patch work. Matteusz, can > you please elaborate how you verified the patch and how confident are > you that it doesn't introduce unwanted side-effects? > > Ricardo, would that patch be acceptable for upstream inclusion? - Your > opinion is highly valued and would be helpful in forming an opinion on > Mateusz' patch. > > Mateusz, I also see that you prepared a new upstream version. That's > great, in fact, I've also prepared it locally to see if the issue > happened to be fixed upstream, but determined mongosse was not updated > and concluded the problem still persists. I've therefore decided to > not upload the new upstream version and focus on the existing issues > instead. Hence, I've applied the patch to disable the build of > mongoose in the present package version. I see that you disabled it in > https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde > (the commit message didn't help with finding that SHA1, I'd appreciate > more accurate messages in the future) - which is fine by me *if* we > are confident that the mongoose update actually fixes the problem (see > my question above). > > Also, did you verify that the new mongoose patch builds with GCC-8? My > patch to disable mongoose takes care of that as well, it would be a > shame to reintroduce #897863 again. > > -- > regards, > Reinhard -- RVM
Bug#898943: Multiple vulnerabiliities in Mongoose
On Thu, Jun 7, 2018 at 6:20 AM Mateusz Łukasik wrote: > This is not fixed for me. I made patch with add latest Mongoose version > which included fixed for all of this cve's. > It pushed now to salsa. > > -- Thank you! I see that you've added https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch - which is a pretty big patch. I wouldn't know how to test it (I don't use that feature) or even verify that the patch work. Matteusz, can you please elaborate how you verified the patch and how confident are you that it doesn't introduce unwanted side-effects? Ricardo, would that patch be acceptable for upstream inclusion? - Your opinion is highly valued and would be helpful in forming an opinion on Mateusz' patch. Mateusz, I also see that you prepared a new upstream version. That's great, in fact, I've also prepared it locally to see if the issue happened to be fixed upstream, but determined mongosse was not updated and concluded the problem still persists. I've therefore decided to not upload the new upstream version and focus on the existing issues instead. Hence, I've applied the patch to disable the build of mongoose in the present package version. I see that you disabled it in https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde (the commit message didn't help with finding that SHA1, I'd appreciate more accurate messages in the future) - which is fine by me *if* we are confident that the mongoose update actually fixes the problem (see my question above). Also, did you verify that the new mongoose patch builds with GCC-8? My patch to disable mongoose takes care of that as well, it would be a shame to reintroduce #897863 again. -- regards, Reinhard
Bug#898943: Multiple vulnerabiliities in Mongoose
On 04.06.2018 18:47 +0100, Reinhard Tartler wrote: Ok, thanks. That sounds like a good plan! Reinhard On Sun, Jun 3, 2018, 19:49 Ricardo Villalba <mailto:smplayer@gmail.com>> wrote: I don't know yet. I guess I'll have to look for another simple web server. 2018-06-03 23:15 GMT+02:00 Reinhard Tartler mailto:siret...@gmail.com>>: > Thanks for the tip, Ricardo! > > It appears that disabling that define still compiles (and installs) > the vulnerable program. I'll upload a new package that not only > disables that define, but also modifies the top-level Makefile to no > longer build and install mongoose: > > https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch > > Let me know what you think and what do you intend to do upstream to > resolve this issue. > > Thanks, > Reinhard > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba mailto:smplayer@gmail.com>> wrote: >> >> Hello. >> >> I wasn't aware of those vulnerabilities in mongoose. >> It's possible to disable the support for chromecast in smplayer >> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro <http://smplayer.pro> >> >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler mailto:siret...@gmail.com>>: >> > Hi Richardo, >> > >> > I'm not sure if you have seen this email, Moritz from the debian >> > security team is reporting a release-critical bug in smplayer. More >> > specifically, smplayer appears to be using the mongoose webserver >> > implementation as in implementation detail of the chromecast >> > component. >> > >> > Having to remove smplayer would be most unfortunate. I checked the >> > upstream commits at >> > https://github.com/cesanta/mongoose/commits/master, but apparently >> > there is no fix available yet. Maybe I'm missing something but if not, >> > my question to you is whether we can easily disable the chromecast >> > component from the smplayer build? >> > >> > Please let me know your thoughts on this. >> > >> > Best, >> > Reinhard >> > >> > -- Forwarded message - >> > From: Moritz Muehlenhoff mailto:j...@debian.org>> >> > Date: Thu, May 17, 2018 at 12:51 PM >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose >> > To: Debian Bug Tracking System mailto:sub...@bugs.debian.org>> >> > >> > >> > Source: smplayer >> > Severity: grave >> > Tags: security >> > >> > smplayer seems to embed Cesenta Mongoose: >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 >> > >> > Cheers, >> > Moritz >> > >> > ___ >> > pkg-multimedia-maintainers mailing list >> > pkg-multimedia-maintain...@alioth-lists.debian.net <mailto:pkg-multimedia-maintain...@alioth-lists.debian.net> >> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers >> > >> > >> > -- >> > regards, >> > Reinhard >> >> >> >> -- >> RVM > > > > -- > regards, > Reinhard -- RVM Hi, This is not fixed for me. I made patch with add latest Mongoose version which included fixed for all of this cve's. It pushed now to salsa. -- .''`. Mateusz Łukasik : :' : https://l0calh0st.pl `. `' Debian Member - mat...@linuxmint.pl `-GPG: D93B 0C12 C8D0 4D7A AFBC FA27 CCD9 1D61 11A0 6851
Bug#898943: Multiple vulnerabiliities in Mongoose
On Mon, Jun 04, 2018 at 12:47:48PM -0400, Reinhard Tartler wrote: > Ok, thanks. That sounds like a good plan! BTW, I'm not sure if Talos security actually reported these to the censenta/mongoose upstream project or whether they're doing it for the security buzz/advertising factor... I saw that upstream seem to be fairly active, so maybe it's just a matter of properly reporting these vulnerabilities on their Github page, letting them fix them and then rebasing the mongoose copy to the fixed version? Cheers, Moritz
Bug#898943: Multiple vulnerabiliities in Mongoose
Ok, thanks. That sounds like a good plan! Reinhard On Sun, Jun 3, 2018, 19:49 Ricardo Villalba wrote: > I don't know yet. I guess I'll have to look for another simple web server. > > > 2018-06-03 23:15 GMT+02:00 Reinhard Tartler : > > Thanks for the tip, Ricardo! > > > > It appears that disabling that define still compiles (and installs) > > the vulnerable program. I'll upload a new package that not only > > disables that define, but also modifies the top-level Makefile to no > > longer build and install mongoose: > > > > > https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch > > > > Let me know what you think and what do you intend to do upstream to > > resolve this issue. > > > > Thanks, > > Reinhard > > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba > wrote: > >> > >> Hello. > >> > >> I wasn't aware of those vulnerabilities in mongoose. > >> It's possible to disable the support for chromecast in smplayer > >> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro > >> > >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler : > >> > Hi Richardo, > >> > > >> > I'm not sure if you have seen this email, Moritz from the debian > >> > security team is reporting a release-critical bug in smplayer. More > >> > specifically, smplayer appears to be using the mongoose webserver > >> > implementation as in implementation detail of the chromecast > >> > component. > >> > > >> > Having to remove smplayer would be most unfortunate. I checked the > >> > upstream commits at > >> > https://github.com/cesanta/mongoose/commits/master, but apparently > >> > there is no fix available yet. Maybe I'm missing something but if not, > >> > my question to you is whether we can easily disable the chromecast > >> > component from the smplayer build? > >> > > >> > Please let me know your thoughts on this. > >> > > >> > Best, > >> > Reinhard > >> > > >> > -- Forwarded message - > >> > From: Moritz Muehlenhoff > >> > Date: Thu, May 17, 2018 at 12:51 PM > >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose > >> > To: Debian Bug Tracking System > >> > > >> > > >> > Source: smplayer > >> > Severity: grave > >> > Tags: security > >> > > >> > smplayer seems to embed Cesenta Mongoose: > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 > >> > > >> > Cheers, > >> > Moritz > >> > > >> > ___ > >> > pkg-multimedia-maintainers mailing list > >> > pkg-multimedia-maintain...@alioth-lists.debian.net > >> > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers > >> > > >> > > >> > -- > >> > regards, > >> > Reinhard > >> > >> > >> > >> -- > >> RVM > > > > > > > > -- > > regards, > > Reinhard > > > > -- > RVM >
Bug#898943: Multiple vulnerabiliities in Mongoose
I don't know yet. I guess I'll have to look for another simple web server. 2018-06-03 23:15 GMT+02:00 Reinhard Tartler : > Thanks for the tip, Ricardo! > > It appears that disabling that define still compiles (and installs) > the vulnerable program. I'll upload a new package that not only > disables that define, but also modifies the top-level Makefile to no > longer build and install mongoose: > > https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch > > Let me know what you think and what do you intend to do upstream to > resolve this issue. > > Thanks, > Reinhard > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba > wrote: >> >> Hello. >> >> I wasn't aware of those vulnerabilities in mongoose. >> It's possible to disable the support for chromecast in smplayer >> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro >> >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler : >> > Hi Richardo, >> > >> > I'm not sure if you have seen this email, Moritz from the debian >> > security team is reporting a release-critical bug in smplayer. More >> > specifically, smplayer appears to be using the mongoose webserver >> > implementation as in implementation detail of the chromecast >> > component. >> > >> > Having to remove smplayer would be most unfortunate. I checked the >> > upstream commits at >> > https://github.com/cesanta/mongoose/commits/master, but apparently >> > there is no fix available yet. Maybe I'm missing something but if not, >> > my question to you is whether we can easily disable the chromecast >> > component from the smplayer build? >> > >> > Please let me know your thoughts on this. >> > >> > Best, >> > Reinhard >> > >> > -- Forwarded message - >> > From: Moritz Muehlenhoff >> > Date: Thu, May 17, 2018 at 12:51 PM >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose >> > To: Debian Bug Tracking System >> > >> > >> > Source: smplayer >> > Severity: grave >> > Tags: security >> > >> > smplayer seems to embed Cesenta Mongoose: >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 >> > >> > Cheers, >> > Moritz >> > >> > ___ >> > pkg-multimedia-maintainers mailing list >> > pkg-multimedia-maintain...@alioth-lists.debian.net >> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers >> > >> > >> > -- >> > regards, >> > Reinhard >> >> >> >> -- >> RVM > > > > -- > regards, > Reinhard -- RVM
Bug#898943: Multiple vulnerabiliities in Mongoose
Thanks for the tip, Ricardo! It appears that disabling that define still compiles (and installs) the vulnerable program. I'll upload a new package that not only disables that define, but also modifies the top-level Makefile to no longer build and install mongoose: https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch Let me know what you think and what do you intend to do upstream to resolve this issue. Thanks, Reinhard On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba wrote: > > Hello. > > I wasn't aware of those vulnerabilities in mongoose. > It's possible to disable the support for chromecast in smplayer > commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro > > 2018-06-03 18:41 GMT+02:00 Reinhard Tartler : > > Hi Richardo, > > > > I'm not sure if you have seen this email, Moritz from the debian > > security team is reporting a release-critical bug in smplayer. More > > specifically, smplayer appears to be using the mongoose webserver > > implementation as in implementation detail of the chromecast > > component. > > > > Having to remove smplayer would be most unfortunate. I checked the > > upstream commits at > > https://github.com/cesanta/mongoose/commits/master, but apparently > > there is no fix available yet. Maybe I'm missing something but if not, > > my question to you is whether we can easily disable the chromecast > > component from the smplayer build? > > > > Please let me know your thoughts on this. > > > > Best, > > Reinhard > > > > -- Forwarded message - > > From: Moritz Muehlenhoff > > Date: Thu, May 17, 2018 at 12:51 PM > > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose > > To: Debian Bug Tracking System > > > > > > Source: smplayer > > Severity: grave > > Tags: security > > > > smplayer seems to embed Cesenta Mongoose: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 > > > > Cheers, > > Moritz > > > > ___ > > pkg-multimedia-maintainers mailing list > > pkg-multimedia-maintain...@alioth-lists.debian.net > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers > > > > > > -- > > regards, > > Reinhard > > > > -- > RVM -- regards, Reinhard
Bug#898943: Multiple vulnerabiliities in Mongoose
Source: smplayer Severity: grave Tags: security smplayer seems to embed Cesenta Mongoose: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 Cheers, Moritz
