Bug#870233: smplayer: executes javascript code downloaded from insecure URL

Reinhard Tartler siretart at gmail.com
Thu Jun 7 14:16:33 BST 2018 

On Sun, Jun 3, 2018 at 9:36 PM Jonas Smedegaard <dr at jones.dk> wrote:
>
> Hi Reinhard,
>
> Excerpts from Reinhard Tartler's message of juni 3, 2018 10:48 pm:
> > On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard <dr at jones.dk> wrote:
> >> smplayer includes code in src/basegui.cpp to download and (I guess)
> >> execute javascript code for parsing youtube paths.  The download URL
> >> is http://updates.smplayer.info/yt.js which is insecure and therefore
> >> I suspect easy to replace with evil code.
> >
> > Apparently, this was already fixed upstream quite some time ago in
> > package version 17.11.2~ds0-1 without mentioning this in
> > debian/changelog. I'm therefore closing this bug manually.
>
> Sorry, but I don't see any such change, and it seems the problematic
> code is still there:
>
>
> $ git grep updates.smplayer.info
> src/links.h:#define URL_YT_CODE "http://updates.smplayer.info/yt.js"
> src/links.h:#define URL_VERSION_INFO
> "http://updates.smplayer.info/version_info.ini"
>
>
> $ grep -C5 URL_YT_CODE src/basegui.cpp
> void BaseGui::YTUpdateScript() {
>         static CodeDownloader * downloader = 0;
>         if (!downloader) downloader = new CodeDownloader(this);
>         downloader->saveAs(Paths::configPath() + "/yt.js");
>         downloader->show();
>         downloader->download(QUrl(URL_YT_CODE));
> }
> #endif // YT_USE_YTSIG
> #endif //YOUTUBE_SUPPORT
>
> void BaseGui::gotForbidden() {
>
>
> Could you perhaps reference the git commit you believe fixed this?

>From Matteusz' patch 2831d03e5e7cbb9328469ad92e0fea8ec19ee943 in the
'stretch' branch (unfortunately not uploaded to salsa yet, Matteusz,
do you happen to have the jessie and stretch branches available on
your computer? If so, please kindly upload them to salsa - I found it
in my mail archive), I conclude that in order to solve the issue, we
need to make sure that the define YT_USE_YTSIG is not set:


diff --git a/debian/patches/07-fixyoutube.patch
b/debian/patches/07-fixyoutube.patch
index b968a03..78d3fe5 100644
--- a/debian/patches/07-fixyoutube.patch
+++ b/debian/patches/07-fixyoutube.patch
@@ -1,5 +1,6 @@
 Description: Fix connections to youtube.
 Bug-Debian: http://bugs.debian.org/869411
+Author: Ricardo Villalba <rvm at escomposlinux.org>

 --- a/src/youtube/sig.cpp
 +++ b/src/youtube/sig.cpp
diff --git a/debian/patches/08-870233.patch b/debian/patches/08-870233.patch
new file mode 100644
index 0000000..d6a0975
--- /dev/null
+++ b/debian/patches/08-870233.patch
@@ -0,0 +1,16 @@
+Description: Disable executes javascript code downloaded from insecure URL
+Author: Mateusz Łukasik <mati75 at linuxmint.pl>
+Bug-Debian: https://bugs.debian.org/870233
+Last-Update: 2017-07-31
+
+--- a/src/smplayer.pro
++++ b/src/smplayer.pro
+@@ -439,7 +439,7 @@ contains( DEFINES, YOUTUBE_SUPPORT ) {
+
+       contains( DEFINES, YT_USE_SCRIPT ) {
+               DEFINES += YT_USE_SIG
+-              DEFINES += YT_USE_YTSIG
++              #DEFINES += YT_USE_YTSIG
+               QT += script
+       }
+


This is done as per upstream version 17.11.2 and that's why I have
closed the bug with that version. It appears to me that undefining
URL_YT_CODE disables more functionality than strictly necessary, but I
may be misreading the code. In any case, comments on this are more
than welcome. I'd also appreciate comments from Richardo, who is
listed as the author of the patch.

Jonas, do you have reason to believe that the bug is still present in
the 18.2.2 (the version that is currently in unstable)? If so, please
elaborate.

Best,
Reinhard

More information about the pkg-multimedia-maintainers mailing list