Bug#898943: Multiple vulnerabiliities in Mongoose
Reinhard Tartler
siretart at gmail.com
Sun Jun 3 22:15:57 BST 2018
Thanks for the tip, Ricardo!
It appears that disabling that define still compiles (and installs)
the vulnerable program. I'll upload a new package that not only
disables that define, but also modifies the top-level Makefile to no
longer build and install mongoose:
https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
Let me know what you think and what do you intend to do upstream to
resolve this issue.
Thanks,
Reinhard
On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <smplayer.dev at gmail.com> wrote:
>
> Hello.
>
> I wasn't aware of those vulnerabilities in mongoose.
> It's possible to disable the support for chromecast in smplayer
> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro
>
> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siretart at gmail.com>:
> > Hi Richardo,
> >
> > I'm not sure if you have seen this email, Moritz from the debian
> > security team is reporting a release-critical bug in smplayer. More
> > specifically, smplayer appears to be using the mongoose webserver
> > implementation as in implementation detail of the chromecast
> > component.
> >
> > Having to remove smplayer would be most unfortunate. I checked the
> > upstream commits at
> > https://github.com/cesanta/mongoose/commits/master, but apparently
> > there is no fix available yet. Maybe I'm missing something but if not,
> > my question to you is whether we can easily disable the chromecast
> > component from the smplayer build?
> >
> > Please let me know your thoughts on this.
> >
> > Best,
> > Reinhard
> >
> > ---------- Forwarded message ---------
> > From: Moritz Muehlenhoff <jmm at debian.org>
> > Date: Thu, May 17, 2018 at 12:51 PM
> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
> > To: Debian Bug Tracking System <submit at bugs.debian.org>
> >
> >
> > Source: smplayer
> > Severity: grave
> > Tags: security
> >
> > smplayer seems to embed Cesenta Mongoose:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
> >
> > Cheers,
> > Moritz
> >
> > _______________________________________________
> > pkg-multimedia-maintainers mailing list
> > pkg-multimedia-maintainers at alioth-lists.debian.net
> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
> >
> >
> > --
> > regards,
> > Reinhard
>
>
>
> --
> RVM
--
regards,
Reinhard
More information about the pkg-multimedia-maintainers
mailing list