Bug#898943: Multiple vulnerabiliities in Mongoose

Ricardo Villalba smplayer.dev at gmail.com
Thu Jun 7 20:37:21 BST 2018 

I'm already using mongoose 6.11 in the svn of SMPlayer. So far it
seems to work fine for me.

https://app.assembla.com/spaces/smplayer/subversion/commits/9030

2018-06-07 15:08 GMT+02:00 Reinhard Tartler <siretart at gmail.com>:
> On Thu, Jun 7, 2018 at 6:20 AM Mateusz Łukasik <mati75 at linuxmint.pl> wrote:
>
>> This is not fixed for me. I made patch with add latest Mongoose version
>> which included fixed for all of this cve's.
>> It pushed now to salsa.
>>
>> --
>
> Thank you!
>
> I see that you've added
> https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch
> - which is a pretty big patch. I wouldn't know how to test it (I don't
> use that feature) or even verify that the patch work. Matteusz, can
> you please elaborate how you verified the patch  and how confident are
> you that it doesn't introduce unwanted side-effects?
>
> Ricardo, would that patch be acceptable for upstream inclusion? - Your
> opinion is highly valued and would be helpful in forming an opinion on
> Mateusz' patch.
>
> Mateusz, I also see that you prepared a new upstream version. That's
> great, in fact, I've also prepared it locally to see if the issue
> happened to be fixed upstream, but determined mongosse was not updated
> and concluded the problem still persists. I've therefore decided to
> not upload the new upstream version and focus on the existing issues
> instead. Hence, I've applied the patch to disable the build of
> mongoose in the present package version. I see that you disabled it in
> https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde
> (the commit message didn't help with finding that SHA1, I'd appreciate
> more accurate messages in the future) - which is fine by me *if* we
> are confident that the mongoose update actually fixes the problem (see
> my question above).
>
> Also, did you verify that the new mongoose patch builds with GCC-8? My
> patch to disable mongoose takes care of that as well, it would be a
> shame to reintroduce #897863 again.
>
> --
> regards,
>     Reinhard



-- 
RVM

More information about the pkg-multimedia-maintainers mailing list