Bug#898943: Multiple vulnerabiliities in Mongoose
Ricardo Villalba
smplayer.dev at gmail.com
Mon Jun 4 00:49:22 BST 2018
I don't know yet. I guess I'll have to look for another simple web server.
2018-06-03 23:15 GMT+02:00 Reinhard Tartler <siretart at gmail.com>:
> Thanks for the tip, Ricardo!
>
> It appears that disabling that define still compiles (and installs)
> the vulnerable program. I'll upload a new package that not only
> disables that define, but also modifies the top-level Makefile to no
> longer build and install mongoose:
>
> https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
>
> Let me know what you think and what do you intend to do upstream to
> resolve this issue.
>
> Thanks,
> Reinhard
> On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <smplayer.dev at gmail.com> wrote:
>>
>> Hello.
>>
>> I wasn't aware of those vulnerabilities in mongoose.
>> It's possible to disable the support for chromecast in smplayer
>> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro
>>
>> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siretart at gmail.com>:
>> > Hi Richardo,
>> >
>> > I'm not sure if you have seen this email, Moritz from the debian
>> > security team is reporting a release-critical bug in smplayer. More
>> > specifically, smplayer appears to be using the mongoose webserver
>> > implementation as in implementation detail of the chromecast
>> > component.
>> >
>> > Having to remove smplayer would be most unfortunate. I checked the
>> > upstream commits at
>> > https://github.com/cesanta/mongoose/commits/master, but apparently
>> > there is no fix available yet. Maybe I'm missing something but if not,
>> > my question to you is whether we can easily disable the chromecast
>> > component from the smplayer build?
>> >
>> > Please let me know your thoughts on this.
>> >
>> > Best,
>> > Reinhard
>> >
>> > ---------- Forwarded message ---------
>> > From: Moritz Muehlenhoff <jmm at debian.org>
>> > Date: Thu, May 17, 2018 at 12:51 PM
>> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
>> > To: Debian Bug Tracking System <submit at bugs.debian.org>
>> >
>> >
>> > Source: smplayer
>> > Severity: grave
>> > Tags: security
>> >
>> > smplayer seems to embed Cesenta Mongoose:
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
>> >
>> > Cheers,
>> > Moritz
>> >
>> > _______________________________________________
>> > pkg-multimedia-maintainers mailing list
>> > pkg-multimedia-maintainers at alioth-lists.debian.net
>> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
>> >
>> >
>> > --
>> > regards,
>> > Reinhard
>>
>>
>>
>> --
>> RVM
>
>
>
> --
> regards,
> Reinhard
--
RVM
More information about the pkg-multimedia-maintainers
mailing list