Bug#898943: Multiple vulnerabiliities in Mongoose
Reinhard Tartler
siretart at gmail.com
Thu Jun 7 14:08:08 BST 2018
On Thu, Jun 7, 2018 at 6:20 AM Mateusz Ĺukasik <mati75 at linuxmint.pl> wrote:
> This is not fixed for me. I made patch with add latest Mongoose version
> which included fixed for all of this cve's.
> It pushed now to salsa.
>
> --
Thank you!
I see that you've added
https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch
- which is a pretty big patch. I wouldn't know how to test it (I don't
use that feature) or even verify that the patch work. Matteusz, can
you please elaborate how you verified the patch and how confident are
you that it doesn't introduce unwanted side-effects?
Ricardo, would that patch be acceptable for upstream inclusion? - Your
opinion is highly valued and would be helpful in forming an opinion on
Mateusz' patch.
Mateusz, I also see that you prepared a new upstream version. That's
great, in fact, I've also prepared it locally to see if the issue
happened to be fixed upstream, but determined mongosse was not updated
and concluded the problem still persists. I've therefore decided to
not upload the new upstream version and focus on the existing issues
instead. Hence, I've applied the patch to disable the build of
mongoose in the present package version. I see that you disabled it in
https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde
(the commit message didn't help with finding that SHA1, I'd appreciate
more accurate messages in the future) - which is fine by me *if* we
are confident that the mongoose update actually fixes the problem (see
my question above).
Also, did you verify that the new mongoose patch builds with GCC-8? My
patch to disable mongoose takes care of that as well, it would be a
shame to reintroduce #897863 again.
--
regards,
Reinhard
More information about the pkg-multimedia-maintainers
mailing list