I don't know yet. I guess I'll have to look for another simple web server.
2018-06-03 23:15 GMT+02:00 Reinhard Tartler <siret...@gmail.com>: > Thanks for the tip, Ricardo! > > It appears that disabling that define still compiles (and installs) > the vulnerable program. I'll upload a new package that not only > disables that define, but also modifies the top-level Makefile to no > longer build and install mongoose: > > https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch > > Let me know what you think and what do you intend to do upstream to > resolve this issue. > > Thanks, > Reinhard > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <smplayer....@gmail.com> > wrote: >> >> Hello. >> >> I wasn't aware of those vulnerabilities in mongoose. >> It's possible to disable the support for chromecast in smplayer >> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro >> >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siret...@gmail.com>: >> > Hi Richardo, >> > >> > I'm not sure if you have seen this email, Moritz from the debian >> > security team is reporting a release-critical bug in smplayer. More >> > specifically, smplayer appears to be using the mongoose webserver >> > implementation as in implementation detail of the chromecast >> > component. >> > >> > Having to remove smplayer would be most unfortunate. I checked the >> > upstream commits at >> > https://github.com/cesanta/mongoose/commits/master, but apparently >> > there is no fix available yet. Maybe I'm missing something but if not, >> > my question to you is whether we can easily disable the chromecast >> > component from the smplayer build? >> > >> > Please let me know your thoughts on this. >> > >> > Best, >> > Reinhard >> > >> > ---------- Forwarded message --------- >> > From: Moritz Muehlenhoff <j...@debian.org> >> > Date: Thu, May 17, 2018 at 12:51 PM >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose >> > To: Debian Bug Tracking System <sub...@bugs.debian.org> >> > >> > >> > Source: smplayer >> > Severity: grave >> > Tags: security >> > >> > smplayer seems to embed Cesenta Mongoose: >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 >> > >> > Cheers, >> > Moritz >> > >> > _______________________________________________ >> > pkg-multimedia-maintainers mailing list >> > pkg-multimedia-maintain...@alioth-lists.debian.net >> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers >> > >> > >> > -- >> > regards, >> > Reinhard >> >> >> >> -- >> RVM > > > > -- > regards, > Reinhard -- RVM
