Bug#870233: smplayer: executes javascript code downloaded from insecure URL
James Cowgill
jcowgill at debian.org
Mon Jul 31 08:47:34 UTC 2017
Control: found -1 14.9.0~ds0-1
Control: fixed -1 17.7.0~ds0-1
Hi,
On 31/07/17 06:45, Jonas Smedegaard wrote:
> Source: smplayer
> Version: 17.7.0~ds0-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> smplayer includes code in src/basegui.cpp to download and (I guess)
> execute javascript code for parsing youtube paths. The download URL is
> http://updates.smplayer.info/yt.js which is insecure and therefore I
> suspect easy to replace with evil code.
If I am reading the code correctly, it looks like the javascript
download code is gated on the YT_USE_YTSIG define which is disabled in
the version in buster/sid:
https://sources.debian.net/src/smplayer/17.7.0~ds0-1/src/smplayer.pro/#L439
However, it is enabled in stretch and jessie (with a slightly different
define in jessie):
https://sources.debian.net/src/smplayer/16.11.0~ds0-1/src/smplayer.pro/#L442
https://sources.debian.net/src/smplayer/14.9.0~ds0-1/src/smplayer.pro/#L339
So I think this bug only affects those versions.
Thanks,
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20170731/06a688ca/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list