Ok, thanks. That sounds like a good plan! Reinhard
On Sun, Jun 3, 2018, 19:49 Ricardo Villalba <smplayer....@gmail.com> wrote: > I don't know yet. I guess I'll have to look for another simple web server. > > > 2018-06-03 23:15 GMT+02:00 Reinhard Tartler <siret...@gmail.com>: > > Thanks for the tip, Ricardo! > > > > It appears that disabling that define still compiles (and installs) > > the vulnerable program. I'll upload a new package that not only > > disables that define, but also modifies the top-level Makefile to no > > longer build and install mongoose: > > > > > https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch > > > > Let me know what you think and what do you intend to do upstream to > > resolve this issue. > > > > Thanks, > > Reinhard > > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <smplayer....@gmail.com> > wrote: > >> > >> Hello. > >> > >> I wasn't aware of those vulnerabilities in mongoose. > >> It's possible to disable the support for chromecast in smplayer > >> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro > >> > >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siret...@gmail.com>: > >> > Hi Richardo, > >> > > >> > I'm not sure if you have seen this email, Moritz from the debian > >> > security team is reporting a release-critical bug in smplayer. More > >> > specifically, smplayer appears to be using the mongoose webserver > >> > implementation as in implementation detail of the chromecast > >> > component. > >> > > >> > Having to remove smplayer would be most unfortunate. I checked the > >> > upstream commits at > >> > https://github.com/cesanta/mongoose/commits/master, but apparently > >> > there is no fix available yet. Maybe I'm missing something but if not, > >> > my question to you is whether we can easily disable the chromecast > >> > component from the smplayer build? > >> > > >> > Please let me know your thoughts on this. > >> > > >> > Best, > >> > Reinhard > >> > > >> > ---------- Forwarded message --------- > >> > From: Moritz Muehlenhoff <j...@debian.org> > >> > Date: Thu, May 17, 2018 at 12:51 PM > >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose > >> > To: Debian Bug Tracking System <sub...@bugs.debian.org> > >> > > >> > > >> > Source: smplayer > >> > Severity: grave > >> > Tags: security > >> > > >> > smplayer seems to embed Cesenta Mongoose: > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 > >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 > >> > > >> > Cheers, > >> > Moritz > >> > > >> > _______________________________________________ > >> > pkg-multimedia-maintainers mailing list > >> > pkg-multimedia-maintain...@alioth-lists.debian.net > >> > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers > >> > > >> > > >> > -- > >> > regards, > >> > Reinhard > >> > >> > >> > >> -- > >> RVM > > > > > > > > -- > > regards, > > Reinhard > > > > -- > RVM >
