[Pkg-owncloud-maintainers] Security issue in libjs-jquery-jplayer

Pau Garcia i Quiles pgquiles at elpauer.org
Fri Apr 12 23:17:05 UTC 2013 

Hello,

Well, it seems solving this in a clean way is not going to be possible. Let
me explain.

jPlayer is does not follow the usual "patch releases are for
bugfixes/security fixes" policy but also add new features.

One of those features is RTMP support in the Flash fallback, which was
added as soon as 2.1.1 (commit c40b7882c24cd50edeb1124aa450ab9542b04ede, on
April 10th, 2012). Unfortunately this also adds a dependency on a type
(UncaughtErrorEvent) which as3compile does not support. This means we
cannot build any version of jPlayer newer than 2.1.0 [*]

The security fix committed on March 29th, 2013 (commit
e8ca190f7f972a6a421cb95f09e138720e40ed6d) depends on extensive changes
introduced in 2.1.2 (commit f7ebe5b65859250df2a3d2ac6b7b6607e6bb8691, on
April 12th, 2012)

Which means either I do a very very ugly patch to 2.1.0 to backport all
security fixes (which I'm working on but I'm not sure it will work as
expected), or we go for a full newer version (2.1.5, the latest patch
release for the 2.1.x series) and apply an ugly patch which may create
trouble.

[*] Unless we disable that event, which may result in undesired behavior. I
do not know how bad this "undesired behavior" is: the result the same as
using Flash Player < 10.1.



On Thu, Apr 11, 2013 at 8:25 PM, David Prévot <david at tilapin.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Pau,
>
> Thanks for your quick answer,
>
> Le 11/04/2013 14:15, Pau Garcia i Quiles a écrit :
>
> > Do you need that specific version of jPlayer for OwnCloud or would it be
> OK
> > to upload the latest version, which I guess includes the fix already?
>
> For Owncloud, the latest would be fine, but the security and release
> teams, on the other hand, will probably not accept it for Wheezy.
> Please, get in touch with them.
>
> > The new jquery-jplayer version FTBFS, I hope Pau (CC) will manage to
> > backport the security fix in a timely manner.
>
> If you manage to build the latest version, an upload to experimental
> would be welcome in the mean time.
>
> Regards
>
> David
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCAAGBQJRZwAYAAoJELgqIXr9/gnyERwP/12C6coAsOKjoVJqdpj/+TTu
> psbvja/JKiCYcEt9j3p4YZCDmC+nursi7w/F7X8SuaKwgIjgSvqXQkych/Ouz/42
> HqPUdnmBC/GKyArgcVb/hC9qkR0J8htC8WgzX0PkPylZOBH7IMiCAWYdhScN2fOd
> HgxhDaZKxTu2Hs33pAaecuCaoGdkVZDXuCkqciwyFjaaZTd3hv1UdaBFNjjbPc6Z
> C1g0IxDygxj7uuMQ/r2T1N9wEueIOYO+TZ0wwv70sAYgawZ8rThpt6ra2P9c9z+z
> K72amKf0cFh4UuUYwP7uh9rqMuRceEs+l+ce6kxL0RMbVRgcTx9RhB/B3ICaVpl9
> HtMtoM1JnlZOLJVYc0v3zVfZfo4kBh7a9vTrVmlKiwWCrhDwlK0M9BiyxiUJeWbu
> Wmh4PnyA4n4YMQ102BkdKXCbEzLDp8p4kMXF2blznHbKwNXuW6RX/3l12WEOaTXu
> ItdJwJzR8R2wRnwSdOSWAY5BUOTqMPKc1R1YS1HRAdAZLiTjIpDd/Mw5NTR+ofu1
> /wf9/SW+azT94nfI82PhBO1Y5vZ1acolGNfy9fxrK2kLtaPR6HHlqYxkg7C1dCVB
> IAT/ginea6R0ZDahZB3cugfzN1+2RJlxFRTHhUc9c+5LJW5lP/XyX1uJ1w4tt41E
> S1MHuhAL3We7xkdAI4Fv
> =nJnJ
> -----END PGP SIGNATURE-----
>



-- 
Pau Garcia i Quiles
http://www.elpauer.org
(Due to my workload, I may need 10 days to answer)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20130413/62f0148a/attachment.html>

More information about the Pkg-owncloud-maintainers mailing list