<div dir="ltr">Ok, thanks. That sounds like a good plan!</div><div dir="ltr"><br></div><div dir="ltr">Reinhard</div><span>
</span><br><div class="gmail_quote"><div dir="ltr">On Sun, Jun 3, 2018, 19:49 Ricardo Villalba <<a href="mailto:smplayer.dev@gmail.com">smplayer.dev@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I don't know yet. I guess I'll have to look for another simple web server.<br>
<br>
<br>
2018-06-03 23:15 GMT+02:00 Reinhard Tartler <<a href="mailto:siretart@gmail.com" target="_blank">siretart@gmail.com</a>>:<br>
> Thanks for the tip, Ricardo!<br>
><br>
> It appears that disabling that define still compiles (and installs)<br>
> the vulnerable program. I'll upload a new package that not only<br>
> disables that define, but also modifies the top-level Makefile to no<br>
> longer build and install mongoose:<br>
><br>
> <a href="https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch" rel="noreferrer" target="_blank">https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch</a><br>
><br>
> Let me know what you think and what do you intend to do upstream to<br>
> resolve this issue.<br>
><br>
> Thanks,<br>
> Reinhard<br>
> On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <<a href="mailto:smplayer.dev@gmail.com" target="_blank">smplayer.dev@gmail.com</a>> wrote:<br>
>><br>
>> Hello.<br>
>><br>
>> I wasn't aware of those vulnerabilities in mongoose.<br>
>> It's possible to disable the support for chromecast in smplayer<br>
>> commenting the line DEFINES += CHROMECAST_SUPPORT in src/<a href="http://smplayer.pro" rel="noreferrer" target="_blank">smplayer.pro</a><br>
>><br>
>> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <<a href="mailto:siretart@gmail.com" target="_blank">siretart@gmail.com</a>>:<br>
>> > Hi Richardo,<br>
>> ><br>
>> > I'm not sure if you have seen this email, Moritz from the debian<br>
>> > security team is reporting a release-critical bug in smplayer. More<br>
>> > specifically, smplayer appears to be using the mongoose webserver<br>
>> > implementation as in implementation detail of the chromecast<br>
>> > component.<br>
>> ><br>
>> > Having to remove smplayer would be most unfortunate. I checked the<br>
>> > upstream commits at<br>
>> > <a href="https://github.com/cesanta/mongoose/commits/master" rel="noreferrer" target="_blank">https://github.com/cesanta/mongoose/commits/master</a>, but apparently<br>
>> > there is no fix available yet. Maybe I'm missing something but if not,<br>
>> > my question to you is whether we can easily disable the chromecast<br>
>> > component from the smplayer build?<br>
>> ><br>
>> > Please let me know your thoughts on this.<br>
>> ><br>
>> > Best,<br>
>> > Reinhard<br>
>> ><br>
>> > ---------- Forwarded message ---------<br>
>> > From: Moritz Muehlenhoff <<a href="mailto:jmm@debian.org" target="_blank">jmm@debian.org</a>><br>
>> > Date: Thu, May 17, 2018 at 12:51 PM<br>
>> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose<br>
>> > To: Debian Bug Tracking System <<a href="mailto:submit@bugs.debian.org" target="_blank">submit@bugs.debian.org</a>><br>
>> ><br>
>> ><br>
>> > Source: smplayer<br>
>> > Severity: grave<br>
>> > Tags: security<br>
>> ><br>
>> > smplayer seems to embed Cesenta Mongoose:<br>
>> > <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891" rel="noreferrer" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891</a><br>
>> > <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892" rel="noreferrer" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892</a><br>
>> > <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893" rel="noreferrer" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893</a><br>
>> > <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894" rel="noreferrer" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894</a><br>
>> > <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895" rel="noreferrer" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895</a><br>
>> > <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909" rel="noreferrer" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909</a><br>
>> > <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921" rel="noreferrer" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921</a><br>
>> > <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922" rel="noreferrer" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922</a><br>
>> ><br>
>> > Cheers,<br>
>> >         Moritz<br>
>> ><br>
>> > _______________________________________________<br>
>> > pkg-multimedia-maintainers mailing list<br>
>> > <a href="mailto:pkg-multimedia-maintainers@alioth-lists.debian.net" target="_blank">pkg-multimedia-maintainers@alioth-lists.debian.net</a><br>
>> > <a href="https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers" rel="noreferrer" target="_blank">https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers</a><br>
>> ><br>
>> ><br>
>> > --<br>
>> > regards,<br>
>> >     Reinhard<br>
>><br>
>><br>
>><br>
>> --<br>
>> RVM<br>
><br>
><br>
><br>
> --<br>
> regards,<br>
>     Reinhard<br>
<br>
<br>
<br>
-- <br>
RVM<br>
</blockquote></div>