[Pkg-owncloud-maintainers] Security issue in libjs-jquery-jplayer

Thu Apr 25 16:23:41 UTC 2013

Hello,

I have packaged jPlayer 2.3.0 for experimental. It is now available from
mentors and I hope it will soon be sponsored.

As for 2.1.0, I think I cannot reliably backport *all* the security fixes:
there are many changes from 2.1.0 to 2.3.0, most of them non-security
related and the git commit log does not always mention whether a change is
security-related or not. In addition to that, some security fixes depend on
new features.

IMHO 2.3.0 should be uploaded to stable too as a security release. Far from
ideal but...

On Sat, Apr 13, 2013 at 1:17 AM, Pau Garcia i Quiles
<pgquiles at elpauer.org>wrote:

> Hello,
>
> Well, it seems solving this in a clean way is not going to be possible.
> Let me explain.
>
> jPlayer is does not follow the usual "patch releases are for
> bugfixes/security fixes" policy but also add new features.
>
> One of those features is RTMP support in the Flash fallback, which was
> added as soon as 2.1.1 (commit c40b7882c24cd50edeb1124aa450ab9542b04ede, on
> April 10th, 2012). Unfortunately this also adds a dependency on a type
> (UncaughtErrorEvent) which as3compile does not support. This means we
> cannot build any version of jPlayer newer than 2.1.0 [*]
>
> The security fix committed on March 29th, 2013 (commit
> e8ca190f7f972a6a421cb95f09e138720e40ed6d) depends on extensive changes
> introduced in 2.1.2 (commit f7ebe5b65859250df2a3d2ac6b7b6607e6bb8691, on
> April 12th, 2012)
>
> Which means either I do a very very ugly patch to 2.1.0 to backport all
> security fixes (which I'm working on but I'm not sure it will work as
> expected), or we go for a full newer version (2.1.5, the latest patch
> release for the 2.1.x series) and apply an ugly patch which may create
> trouble.
>
> [*] Unless we disable that event, which may result in undesired behavior.
> I do not know how bad this "undesired behavior" is: the result the same as
> using Flash Player < 10.1.
>
>
>
> On Thu, Apr 11, 2013 at 8:25 PM, David Prévot <david at tilapin.org> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hi Pau,
>>
>> Thanks for your quick answer,
>>
>> Le 11/04/2013 14:15, Pau Garcia i Quiles a écrit :
>>
>> > Do you need that specific version of jPlayer for OwnCloud or would it
>> be OK
>> > to upload the latest version, which I guess includes the fix already?
>>
>> For Owncloud, the latest would be fine, but the security and release
>> teams, on the other hand, will probably not accept it for Wheezy.
>> Please, get in touch with them.
>>
>> > The new jquery-jplayer version FTBFS, I hope Pau (CC) will manage to
>> > backport the security fix in a timely manner.
>>
>> If you manage to build the latest version, an upload to experimental
>> would be welcome in the mean time.
>>
>> Regards
>>
>> David
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.12 (GNU/Linux)
>>
>> iQIcBAEBCAAGBQJRZwAYAAoJELgqIXr9/gnyERwP/12C6coAsOKjoVJqdpj/+TTu
>> psbvja/JKiCYcEt9j3p4YZCDmC+nursi7w/F7X8SuaKwgIjgSvqXQkych/Ouz/42
>> HqPUdnmBC/GKyArgcVb/hC9qkR0J8htC8WgzX0PkPylZOBH7IMiCAWYdhScN2fOd
>> HgxhDaZKxTu2Hs33pAaecuCaoGdkVZDXuCkqciwyFjaaZTd3hv1UdaBFNjjbPc6Z
>> C1g0IxDygxj7uuMQ/r2T1N9wEueIOYO+TZ0wwv70sAYgawZ8rThpt6ra2P9c9z+z
>> K72amKf0cFh4UuUYwP7uh9rqMuRceEs+l+ce6kxL0RMbVRgcTx9RhB/B3ICaVpl9
>> HtMtoM1JnlZOLJVYc0v3zVfZfo4kBh7a9vTrVmlKiwWCrhDwlK0M9BiyxiUJeWbu
>> Wmh4PnyA4n4YMQ102BkdKXCbEzLDp8p4kMXF2blznHbKwNXuW6RX/3l12WEOaTXu
>> ItdJwJzR8R2wRnwSdOSWAY5BUOTqMPKc1R1YS1HRAdAZLiTjIpDd/Mw5NTR+ofu1
>> /wf9/SW+azT94nfI82PhBO1Y5vZ1acolGNfy9fxrK2kLtaPR6HHlqYxkg7C1dCVB
>> IAT/ginea6R0ZDahZB3cugfzN1+2RJlxFRTHhUc9c+5LJW5lP/XyX1uJ1w4tt41E
>> S1MHuhAL3We7xkdAI4Fv
>> =nJnJ
>> -----END PGP SIGNATURE-----
>>
>
>
>
> --
> Pau Garcia i Quiles
> http://www.elpauer.org
> (Due to my workload, I may need 10 days to answer)
>

-- 
Pau Garcia i Quiles
http://www.elpauer.org
(Due to my workload, I may need 10 days to answer)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20130425/51be17e1/attachment.html>