Bug#870233: smplayer: executes javascript code downloaded from insecure URL
Jonas Smedegaard
dr at jones.dk
Mon Jun 4 02:36:35 BST 2018
Hi Reinhard,
Excerpts from Reinhard Tartler's message of juni 3, 2018 10:48 pm:
> On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard <dr at jones.dk> wrote:
>> smplayer includes code in src/basegui.cpp to download and (I guess)
>> execute javascript code for parsing youtube paths. The download URL
>> is http://updates.smplayer.info/yt.js which is insecure and therefore
>> I suspect easy to replace with evil code.
>
> Apparently, this was already fixed upstream quite some time ago in
> package version 17.11.2~ds0-1 without mentioning this in
> debian/changelog. I'm therefore closing this bug manually.
Sorry, but I don't see any such change, and it seems the problematic
code is still there:
$ git grep updates.smplayer.info
src/links.h:#define URL_YT_CODE "http://updates.smplayer.info/yt.js"
src/links.h:#define URL_VERSION_INFO
"http://updates.smplayer.info/version_info.ini"
$ grep -C5 URL_YT_CODE src/basegui.cpp
void BaseGui::YTUpdateScript() {
static CodeDownloader * downloader = 0;
if (!downloader) downloader = new CodeDownloader(this);
downloader->saveAs(Paths::configPath() + "/yt.js");
downloader->show();
downloader->download(QUrl(URL_YT_CODE));
}
#endif // YT_USE_YTSIG
#endif //YOUTUBE_SUPPORT
void BaseGui::gotForbidden() {
Could you perhaps reference the git commit you believe fixed this?
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20180604/3524f4c3/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list