Bug#898943: Multiple vulnerabiliities in Mongoose
Mateusz Łukasik
mati75 at linuxmint.pl
Thu Jun 7 11:20:22 BST 2018
On 04.06.2018 18:47 +0100, Reinhard Tartler wrote:
> Ok, thanks. That sounds like a good plan!
>
> Reinhard
>
> On Sun, Jun 3, 2018, 19:49 Ricardo Villalba <smplayer.dev at gmail.com
> <mailto:smplayer.dev at gmail.com>> wrote:
>
> I don't know yet. I guess I'll have to look for another simple web
> server.
>
>
> 2018-06-03 23:15 GMT+02:00 Reinhard Tartler <siretart at gmail.com
> <mailto:siretart at gmail.com>>:
> > Thanks for the tip, Ricardo!
> >
> > It appears that disabling that define still compiles (and installs)
> > the vulnerable program. I'll upload a new package that not only
> > disables that define, but also modifies the top-level Makefile to no
> > longer build and install mongoose:
> >
> >
> https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
> >
> > Let me know what you think and what do you intend to do upstream to
> > resolve this issue.
> >
> > Thanks,
> > Reinhard
> > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba
> <smplayer.dev at gmail.com <mailto:smplayer.dev at gmail.com>> wrote:
> >>
> >> Hello.
> >>
> >> I wasn't aware of those vulnerabilities in mongoose.
> >> It's possible to disable the support for chromecast in smplayer
> >> commenting the line DEFINES += CHROMECAST_SUPPORT in
> src/smplayer.pro <http://smplayer.pro>
> >>
> >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siretart at gmail.com
> <mailto:siretart at gmail.com>>:
> >> > Hi Richardo,
> >> >
> >> > I'm not sure if you have seen this email, Moritz from the debian
> >> > security team is reporting a release-critical bug in smplayer.
> More
> >> > specifically, smplayer appears to be using the mongoose webserver
> >> > implementation as in implementation detail of the chromecast
> >> > component.
> >> >
> >> > Having to remove smplayer would be most unfortunate. I checked the
> >> > upstream commits at
> >> > https://github.com/cesanta/mongoose/commits/master, but apparently
> >> > there is no fix available yet. Maybe I'm missing something but
> if not,
> >> > my question to you is whether we can easily disable the chromecast
> >> > component from the smplayer build?
> >> >
> >> > Please let me know your thoughts on this.
> >> >
> >> > Best,
> >> > Reinhard
> >> >
> >> > ---------- Forwarded message ---------
> >> > From: Moritz Muehlenhoff <jmm at debian.org <mailto:jmm at debian.org>>
> >> > Date: Thu, May 17, 2018 at 12:51 PM
> >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
> >> > To: Debian Bug Tracking System <submit at bugs.debian.org
> <mailto:submit at bugs.debian.org>>
> >> >
> >> >
> >> > Source: smplayer
> >> > Severity: grave
> >> > Tags: security
> >> >
> >> > smplayer seems to embed Cesenta Mongoose:
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
> >> >
> >> > Cheers,
> >> > Moritz
> >> >
> >> > _______________________________________________
> >> > pkg-multimedia-maintainers mailing list
> >> > pkg-multimedia-maintainers at alioth-lists.debian.net
> <mailto:pkg-multimedia-maintainers at alioth-lists.debian.net>
> >> >
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
> >> >
> >> >
> >> > --
> >> > regards,
> >> > Reinhard
> >>
> >>
> >>
> >> --
> >> RVM
> >
> >
> >
> > --
> > regards,
> > Reinhard
>
>
>
> --
> RVM
>
>
>
Hi,
This is not fixed for me. I made patch with add latest Mongoose version
which included fixed for all of this cve's.
It pushed now to salsa.
--
.''`. Mateusz Łukasik
: :' : https://l0calh0st.pl
`. `' Debian Member - mati75 at linuxmint.pl
`- GPG: D93B 0C12 C8D0 4D7A AFBC FA27 CCD9 1D61 11A0 6851
More information about the pkg-multimedia-maintainers
mailing list