Bug#870233: smplayer: executes javascript code downloaded from insecure URL

Reinhard Tartler siretart at gmail.com
Thu Jun 7 22:45:12 BST 2018


​Sorry, I messed up Ricardo's email address in my previous follow-up, so
his reply went to me only. I'm quoting his input with his permission:

​Older versions of SMPlayer downloaded a javascript function from
> http://updates.smplayer.info/yt.js in order to decrypt a signature,
> which it's necessary to play some Youtube videos (mostly music
> videos). Newer versions don't do it anymore because now SMPlayer
> downloads the original function from a Youtube page. If you consider
> this to be also insecure, you can disable it by commenting the line
> DEFINES += YT_USE_SIG in smplayer.pro.


It seems that I confused the define YT_USE_SIG (which is still enabled)
with the define YT_USE_*YT*SIG (which is currently commented out in
smplayer.pro). My bad, sorry. I'll add a patch to the debian packaging that
disables that shortly.

I'm also happy to upload it as soon as I hear back from Mateusz regarding
my question(s) about mongoose.

Thanks everyone!

-- 
regards,
    Reinhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20180607/8e23a56c/attachment.html>


More information about the pkg-multimedia-maintainers mailing list