Bug#870233: marked as done (smplayer: executes javascript code downloaded from insecure URL)
Your message dated Sun, 3 Jun 2018 16:48:29 -0400 with message-id and subject line Re: Bug#870233: smplayer: executes javascript code downloaded from insecure URL has caused the Debian Bug report #870233, regarding smplayer: executes javascript code downloaded from insecure URL to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 870233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870233 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: smplayer Version: 17.7.0~ds0-1 Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 smplayer includes code in src/basegui.cpp to download and (I guess) execute javascript code for parsing youtube paths. The download URL is http://updates.smplayer.info/yt.js which is insecure and therefore I suspect easy to replace with evil code. - Jonas -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAll+w9sACgkQLHwxRsGg ASEgTA//QMLa7jZwjXz3F1r+2NkukhdvQ5QQyZsXbk8sfHyOnCpHJmy2fqZhudmx uq3hhOyCD1SVGLTGp0YURWe8ScwhebjqXfvtNIV4Xzz7oGkXGqWeBaYuYuEyvOF+ UtTDmKtg2ZbvbOjyuq4krEr8sKEH37WJn02esrDsrXSGrXmz5I42+pAlau5/vecb NaHmcBs+jDKkLkoziKn3CSauqmmHXIn58ECO/cLD1ziPYGuZDjjgafUKxhQfDcKz v5S/NbleKzWIMbgicpcXoru3FE88iBs8rKW0X8o0rg2AYXlvYjoTKFj3SAv5MYiv Tlo9TgT7iWNXb2yK0FuxDDeG/FaM5g741CAWfAj/j9qTEF1E2Zf3F+YOrReFtMdw szl2q2kw6vkmQzVA+0jBZIIw2VJCuMyDBxV5aDEEyaaw7Mc0l1rAFxHPcdq/Os/Q UkW38xn5M0GMYOZAMOu55ymP6f5StrOTRqURUGCxY3ZcVTBSRMzG57ds8WlkcGa0 Rxb8EK/nCjAkbye7k1g9ajYuYEbYqdknBLZs9ngAEPF/CmadUmv7a+dfwAhfjy99 vXBiyJxNrwHwMZqqbZ7GYkplZOap5cuthJsA127bd9M4935ZmwgGY6hrx3+y4b5J 9FNO/9x1etJ2+skGjY+1t9vDBOuhqtE6VlR0i0N1bMKkxKM7J2w= =ZQlT -END PGP SIGNATURE- --- End Message --- --- Begin Message --- Version: 17.11.2~ds0-1 Hi Jonas, thank you for the report and sorry for the late reply, On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard wrote: > smplayer includes code in src/basegui.cpp to download and (I guess) > execute javascript code for parsing youtube paths. The download URL is > http://updates.smplayer.info/yt.js which is insecure and therefore I > suspect easy to replace with evil code. Apparently, this was already fixed upstream quite some time ago in package version 17.11.2~ds0-1 without mentioning this in debian/changelog. I'm therefore closing this bug manually. Best regards, reinhard--- End Message ---
Bug#870233: marked as done (smplayer: executes javascript code downloaded from insecure URL)
Your message dated Tue, 19 Jun 2018 18:22:38 + with message-id and subject line Bug#870233: fixed in smplayer 18.5.0~ds1-2 has caused the Debian Bug report #870233, regarding smplayer: executes javascript code downloaded from insecure URL to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 870233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870233 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: smplayer Version: 17.7.0~ds0-1 Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 smplayer includes code in src/basegui.cpp to download and (I guess) execute javascript code for parsing youtube paths. The download URL is http://updates.smplayer.info/yt.js which is insecure and therefore I suspect easy to replace with evil code. - Jonas -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAll+w9sACgkQLHwxRsGg ASEgTA//QMLa7jZwjXz3F1r+2NkukhdvQ5QQyZsXbk8sfHyOnCpHJmy2fqZhudmx uq3hhOyCD1SVGLTGp0YURWe8ScwhebjqXfvtNIV4Xzz7oGkXGqWeBaYuYuEyvOF+ UtTDmKtg2ZbvbOjyuq4krEr8sKEH37WJn02esrDsrXSGrXmz5I42+pAlau5/vecb NaHmcBs+jDKkLkoziKn3CSauqmmHXIn58ECO/cLD1ziPYGuZDjjgafUKxhQfDcKz v5S/NbleKzWIMbgicpcXoru3FE88iBs8rKW0X8o0rg2AYXlvYjoTKFj3SAv5MYiv Tlo9TgT7iWNXb2yK0FuxDDeG/FaM5g741CAWfAj/j9qTEF1E2Zf3F+YOrReFtMdw szl2q2kw6vkmQzVA+0jBZIIw2VJCuMyDBxV5aDEEyaaw7Mc0l1rAFxHPcdq/Os/Q UkW38xn5M0GMYOZAMOu55ymP6f5StrOTRqURUGCxY3ZcVTBSRMzG57ds8WlkcGa0 Rxb8EK/nCjAkbye7k1g9ajYuYEbYqdknBLZs9ngAEPF/CmadUmv7a+dfwAhfjy99 vXBiyJxNrwHwMZqqbZ7GYkplZOap5cuthJsA127bd9M4935ZmwgGY6hrx3+y4b5J 9FNO/9x1etJ2+skGjY+1t9vDBOuhqtE6VlR0i0N1bMKkxKM7J2w= =ZQlT -END PGP SIGNATURE- --- End Message --- --- Begin Message --- Source: smplayer Source-Version: 18.5.0~ds1-2 We believe that the bug you reported is fixed in the latest version of smplayer, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 870...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler (supplier of updated smplayer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 19 Jun 2018 13:58:18 -0400 Source: smplayer Binary: smplayer smplayer-l10n Architecture: source Version: 18.5.0~ds1-2 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: Reinhard Tartler Description: smplayer - Complete front-end for MPlayer and mpv smplayer-l10n - Complete front-end for MPlayer and mpv - translation files Closes: 870233 Changes: smplayer (18.5.0~ds1-2) unstable; urgency=medium . * Disable downloading potentially insecure javascript from youtube.com (Closes: #870233) Checksums-Sha1: 8e01b5c3f51f961454a49bb4c595917cfedbe5e6 2317 smplayer_18.5.0~ds1-2.dsc 630e4854eaebb6e65ff1b8f881605dd282089d40 15364 smplayer_18.5.0~ds1-2.debian.tar.xz Checksums-Sha256: 319a39702e945b4452d91597d7452a182067820b792a05d13487046fc7d20c10 2317 smplayer_18.5.0~ds1-2.dsc 679508858ebf8ab25b1065944d876c0573d62e39694a6bebbadc650a411fbbb0 15364 smplayer_18.5.0~ds1-2.debian.tar.xz Files: f1e4bae7d3a7e5d096bd99a95b4c2ec7 2317 video optional smplayer_18.5.0~ds1-2.dsc 5ab466de6669f4235574d0ae7a14c134 15364 video optional smplayer_18.5.0~ds1-2.debian.tar.xz -BEGIN PGP SIGNATURE- iQJIBAEBCAAyFiEE6n5rckvJ+/LRcetya3IL6cXPbZ4FAlspRQEUHHNpcmV0YXJ0 QHRhdXdhcmUuZGUACgkQa3IL6cXPbZ7ezg//dxa75EW3pslcwQtQwD8nQ41RZ9U3 4kzK1XBKeW86+OMXRBNPXoMRlboPVAmeCJw8ft19L3GULaW+SvVqgSv2SgEhnbyu DcmsI1lHY1N6S5gwyfMV2MdQiPkVCkVaRQzX3hrNG+dOkS67k991MY91+AxkXJFf M4mdC89cnhgh4idGw1pwH2GMy2M+GNFwuDzQrWRkQDIk2yZPRdOaG/Ral18cdif9 Wwtw8EzVlhQKPpUsVwX6pr1GTAywsGdlZ9q+NVM8MVrhF9kV6oMHjkqA2Xl0VbfL p23U00lwYA0hW7ekzfC5awOt+zNQEE+hIXgCDdhqGRdOBzpcCR34d8i3xdBCay4r czF9MgmiUCItHogAnVg73vfnyEviv82IzajfrAD8XfVMRxWmIFQ6geV3lr52ws60 Duft10SJgkuBtddX7Jsnz541DCZdlwlIZmAhHyuyBbv8HPdejxrI2Ha+b50QkIwu y0HpohltbbliFNYVWKESckx0lVUh9wCN/HtDZdeWKOu8FTkmbur03W5MzDmB8GBD jFk4pcqu07nPYjJNcG2iQMV72RGSp1QRiCOTNOuY3hwhBZWfqF/7CCVYn2IKEBad B9/w8WqVqFwhQawCab8Xz7eSWcrsivYEuAKcn+tqWeU/JfxHExvFQzSTCgfgJa58 RHzxGg2IA3URCGw= =vYvU -END PGP SIGNATURE End Message ---
