[Pkg-owncloud-maintainers] Security issue in libjs-jquery-jplayer

Fri Apr 26 22:59:19 UTC 2013

Hello,

I have put together a Frankenstein: 2.1.0 + 3 security fixes I have
identified looking at the logs and release notes. It's available from
mentors as 2.1.0-2:

http://mentors.debian.net/debian/pool/main/j/jquery-jplayer/jquery-jplayer_2.1.0-2.dsc

In my tests, it seems to work. Please report your findings, especially on
the Flash fallback side.

jPlayer 2.3.0-1 is also available from mentors:

http://mentors.debian.net/debian/pool/main/j/jquery-jplayer/jquery-jplayer_2.3.0-1~experimental1.dsc

On Thu, Apr 25, 2013 at 6:23 PM, Pau Garcia i Quiles
<pgquiles at elpauer.org>wrote:

> Hello,
>
> I have packaged jPlayer 2.3.0 for experimental. It is now available from
> mentors and I hope it will soon be sponsored.
>
> As for 2.1.0, I think I cannot reliably backport *all* the security fixes:
> there are many changes from 2.1.0 to 2.3.0, most of them non-security
> related and the git commit log does not always mention whether a change is
> security-related or not. In addition to that, some security fixes depend on
> new features.
>
> IMHO 2.3.0 should be uploaded to stable too as a security release. Far
> from ideal but...
>
>
> On Sat, Apr 13, 2013 at 1:17 AM, Pau Garcia i Quiles <pgquiles at elpauer.org
> > wrote:
>
>> Hello,
>>
>> Well, it seems solving this in a clean way is not going to be possible.
>> Let me explain.
>>
>> jPlayer is does not follow the usual "patch releases are for
>> bugfixes/security fixes" policy but also add new features.
>>
>> One of those features is RTMP support in the Flash fallback, which was
>> added as soon as 2.1.1 (commit c40b7882c24cd50edeb1124aa450ab9542b04ede, on
>> April 10th, 2012). Unfortunately this also adds a dependency on a type
>> (UncaughtErrorEvent) which as3compile does not support. This means we
>> cannot build any version of jPlayer newer than 2.1.0 [*]
>>
>> The security fix committed on March 29th, 2013 (commit
>> e8ca190f7f972a6a421cb95f09e138720e40ed6d) depends on extensive changes
>> introduced in 2.1.2 (commit f7ebe5b65859250df2a3d2ac6b7b6607e6bb8691, on
>> April 12th, 2012)
>>
>> Which means either I do a very very ugly patch to 2.1.0 to backport all
>> security fixes (which I'm working on but I'm not sure it will work as
>> expected), or we go for a full newer version (2.1.5, the latest patch
>> release for the 2.1.x series) and apply an ugly patch which may create
>> trouble.
>>
>> [*] Unless we disable that event, which may result in undesired behavior.
>> I do not know how bad this "undesired behavior" is: the result the same as
>> using Flash Player < 10.1.
>>
>>
>>
>> On Thu, Apr 11, 2013 at 8:25 PM, David Prévot <david at tilapin.org> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Hi Pau,
>>>
>>> Thanks for your quick answer,
>>>
>>> Le 11/04/2013 14:15, Pau Garcia i Quiles a écrit :
>>>
>>> > Do you need that specific version of jPlayer for OwnCloud or would it
>>> be OK
>>> > to upload the latest version, which I guess includes the fix already?
>>>
>>> For Owncloud, the latest would be fine, but the security and release
>>> teams, on the other hand, will probably not accept it for Wheezy.
>>> Please, get in touch with them.
>>>
>>> > The new jquery-jplayer version FTBFS, I hope Pau (CC) will manage to
>>> > backport the security fix in a timely manner.
>>>
>>> If you manage to build the latest version, an upload to experimental
>>> would be welcome in the mean time.
>>>
>>> Regards
>>>
>>> David
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.12 (GNU/Linux)
>>>
>>> iQIcBAEBCAAGBQJRZwAYAAoJELgqIXr9/gnyERwP/12C6coAsOKjoVJqdpj/+TTu
>>> psbvja/JKiCYcEt9j3p4YZCDmC+nursi7w/F7X8SuaKwgIjgSvqXQkych/Ouz/42
>>> HqPUdnmBC/GKyArgcVb/hC9qkR0J8htC8WgzX0PkPylZOBH7IMiCAWYdhScN2fOd
>>> HgxhDaZKxTu2Hs33pAaecuCaoGdkVZDXuCkqciwyFjaaZTd3hv1UdaBFNjjbPc6Z
>>> C1g0IxDygxj7uuMQ/r2T1N9wEueIOYO+TZ0wwv70sAYgawZ8rThpt6ra2P9c9z+z
>>> K72amKf0cFh4UuUYwP7uh9rqMuRceEs+l+ce6kxL0RMbVRgcTx9RhB/B3ICaVpl9
>>> HtMtoM1JnlZOLJVYc0v3zVfZfo4kBh7a9vTrVmlKiwWCrhDwlK0M9BiyxiUJeWbu
>>> Wmh4PnyA4n4YMQ102BkdKXCbEzLDp8p4kMXF2blznHbKwNXuW6RX/3l12WEOaTXu
>>> ItdJwJzR8R2wRnwSdOSWAY5BUOTqMPKc1R1YS1HRAdAZLiTjIpDd/Mw5NTR+ofu1
>>> /wf9/SW+azT94nfI82PhBO1Y5vZ1acolGNfy9fxrK2kLtaPR6HHlqYxkg7C1dCVB
>>> IAT/ginea6R0ZDahZB3cugfzN1+2RJlxFRTHhUc9c+5LJW5lP/XyX1uJ1w4tt41E
>>> S1MHuhAL3We7xkdAI4Fv
>>> =nJnJ
>>> -----END PGP SIGNATURE-----
>>>
>>
>>
>>
>> --
>> Pau Garcia i Quiles
>> http://www.elpauer.org
>> (Due to my workload, I may need 10 days to answer)
>>
>
>
>
> --
> Pau Garcia i Quiles
> http://www.elpauer.org
> (Due to my workload, I may need 10 days to answer)
>

-- 
Pau Garcia i Quiles
http://www.elpauer.org
(Due to my workload, I may need 10 days to answer)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20130427/ea68e44c/attachment.html>