Related Vulnerabilities: CVE-2017-2891 CVE-2017-2892 CVE-2017-2893 CVE-2017-2894 CVE-2017-2895 CVE-2017-2909 CVE-2017-2921 CVE-2017-2922

Source

Debian Bug report logs - #898943
Multiple vulnerabiliities in Mongoose

Package: src:smplayer; Maintainer for src:smplayer is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Thu, 17 May 2018 16:51:02 UTC

Severity: grave

Tags: security

Fixed in version smplayer/18.5.0~ds1-1

Done: Reinhard Tartler <siretart@tauware.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#898943; Package src:smplayer. (Thu, 17 May 2018 16:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Thu, 17 May 2018 16:51:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: smplayer
Severity: grave
Tags: security

smplayer seems to embed Cesenta Mongoose:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922

Cheers,
        Moritz

Information stored :
Bug#898943; Package src:smplayer. (Sun, 03 Jun 2018 16:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Reinhard Tartler <siretart@gmail.com>:
Extra info received and filed, but not forwarded. (Sun, 03 Jun 2018 16:45:03 GMT) (full text, mbox, link).

Message #10 received at 898943-quiet@bugs.debian.org (full text, mbox, reply):

Hi Richardo,

I'm not sure if you have seen this email, Moritz from the debian
security team is reporting a release-critical bug in smplayer. More
specifically, smplayer appears to be using the mongoose webserver
implementation as in implementation detail of the chromecast
component.

Having to remove smplayer would be most unfortunate. I checked the
upstream commits at
https://github.com/cesanta/mongoose/commits/master, but apparently
there is no fix available yet. Maybe I'm missing something but if not,
my question to you is whether we can easily disable the chromecast
component from the smplayer build?

Please let me know your thoughts on this.

Best,
Reinhard

---------- Forwarded message ---------
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, May 17, 2018 at 12:51 PM
Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
To: Debian Bug Tracking System <submit@bugs.debian.org>


Source: smplayer
Severity: grave
Tags: security

smplayer seems to embed Cesenta Mongoose:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922

Cheers,
        Moritz

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers


-- 
regards,
    Reinhard

Information stored :
Bug#898943; Package src:smplayer. (Sun, 03 Jun 2018 19:03:09 GMT) (full text, mbox, link).

Acknowledgement sent to Ricardo Villalba <smplayer.dev@gmail.com>:
Extra info received and filed, but not forwarded. (Sun, 03 Jun 2018 19:03:09 GMT) (full text, mbox, link).

Message #15 received at 898943-quiet@bugs.debian.org (full text, mbox, reply):

Hello.

I wasn't aware of those vulnerabilities in mongoose.
It's possible to disable the support for chromecast in smplayer
commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro

2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siretart@gmail.com>:
> Hi Richardo,
>
> I'm not sure if you have seen this email, Moritz from the debian
> security team is reporting a release-critical bug in smplayer. More
> specifically, smplayer appears to be using the mongoose webserver
> implementation as in implementation detail of the chromecast
> component.
>
> Having to remove smplayer would be most unfortunate. I checked the
> upstream commits at
> https://github.com/cesanta/mongoose/commits/master, but apparently
> there is no fix available yet. Maybe I'm missing something but if not,
> my question to you is whether we can easily disable the chromecast
> component from the smplayer build?
>
> Please let me know your thoughts on this.
>
> Best,
> Reinhard
>
> ---------- Forwarded message ---------
> From: Moritz Muehlenhoff <jmm@debian.org>
> Date: Thu, May 17, 2018 at 12:51 PM
> Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
> To: Debian Bug Tracking System <submit@bugs.debian.org>
>
>
> Source: smplayer
> Severity: grave
> Tags: security
>
> smplayer seems to embed Cesenta Mongoose:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
>
> Cheers,
>         Moritz
>
> _______________________________________________
> pkg-multimedia-maintainers mailing list
> pkg-multimedia-maintainers@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
>
>
> --
> regards,
>     Reinhard



-- 
RVM

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#898943; Package src:smplayer. (Sun, 03 Jun 2018 21:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Reinhard Tartler <siretart@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sun, 03 Jun 2018 21:21:06 GMT) (full text, mbox, link).

Message #20 received at 898943@bugs.debian.org (full text, mbox, reply):

Thanks for the tip, Ricardo!

It appears that disabling that define still compiles (and installs)
the vulnerable program. I'll upload a new package that not only
disables that define, but also modifies the top-level Makefile to no
longer build and install mongoose:

https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch

Let me know what you think and what do you intend to do upstream to
resolve this issue.

Thanks,
Reinhard
On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <smplayer.dev@gmail.com> wrote:
>
> Hello.
>
> I wasn't aware of those vulnerabilities in mongoose.
> It's possible to disable the support for chromecast in smplayer
> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro
>
> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siretart@gmail.com>:
> > Hi Richardo,
> >
> > I'm not sure if you have seen this email, Moritz from the debian
> > security team is reporting a release-critical bug in smplayer. More
> > specifically, smplayer appears to be using the mongoose webserver
> > implementation as in implementation detail of the chromecast
> > component.
> >
> > Having to remove smplayer would be most unfortunate. I checked the
> > upstream commits at
> > https://github.com/cesanta/mongoose/commits/master, but apparently
> > there is no fix available yet. Maybe I'm missing something but if not,
> > my question to you is whether we can easily disable the chromecast
> > component from the smplayer build?
> >
> > Please let me know your thoughts on this.
> >
> > Best,
> > Reinhard
> >
> > ---------- Forwarded message ---------
> > From: Moritz Muehlenhoff <jmm@debian.org>
> > Date: Thu, May 17, 2018 at 12:51 PM
> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
> > To: Debian Bug Tracking System <submit@bugs.debian.org>
> >
> >
> > Source: smplayer
> > Severity: grave
> > Tags: security
> >
> > smplayer seems to embed Cesenta Mongoose:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
> >
> > Cheers,
> >         Moritz
> >
> > _______________________________________________
> > pkg-multimedia-maintainers mailing list
> > pkg-multimedia-maintainers@alioth-lists.debian.net
> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
> >
> >
> > --
> > regards,
> >     Reinhard
>
>
>
> --
> RVM



-- 
regards,
    Reinhard

Acknowledgement sent to Ricardo Villalba <smplayer.dev@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Sun, 03 Jun 2018 23:51:03 GMT) (full text, mbox, link).

Message #25 received at 898943@bugs.debian.org (full text, mbox, reply):

I don't know yet. I guess I'll have to look for another simple web server.


2018-06-03 23:15 GMT+02:00 Reinhard Tartler <siretart@gmail.com>:
> Thanks for the tip, Ricardo!
>
> It appears that disabling that define still compiles (and installs)
> the vulnerable program. I'll upload a new package that not only
> disables that define, but also modifies the top-level Makefile to no
> longer build and install mongoose:
>
> https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
>
> Let me know what you think and what do you intend to do upstream to
> resolve this issue.
>
> Thanks,
> Reinhard
> On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <smplayer.dev@gmail.com> wrote:
>>
>> Hello.
>>
>> I wasn't aware of those vulnerabilities in mongoose.
>> It's possible to disable the support for chromecast in smplayer
>> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro
>>
>> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siretart@gmail.com>:
>> > Hi Richardo,
>> >
>> > I'm not sure if you have seen this email, Moritz from the debian
>> > security team is reporting a release-critical bug in smplayer. More
>> > specifically, smplayer appears to be using the mongoose webserver
>> > implementation as in implementation detail of the chromecast
>> > component.
>> >
>> > Having to remove smplayer would be most unfortunate. I checked the
>> > upstream commits at
>> > https://github.com/cesanta/mongoose/commits/master, but apparently
>> > there is no fix available yet. Maybe I'm missing something but if not,
>> > my question to you is whether we can easily disable the chromecast
>> > component from the smplayer build?
>> >
>> > Please let me know your thoughts on this.
>> >
>> > Best,
>> > Reinhard
>> >
>> > ---------- Forwarded message ---------
>> > From: Moritz Muehlenhoff <jmm@debian.org>
>> > Date: Thu, May 17, 2018 at 12:51 PM
>> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
>> > To: Debian Bug Tracking System <submit@bugs.debian.org>
>> >
>> >
>> > Source: smplayer
>> > Severity: grave
>> > Tags: security
>> >
>> > smplayer seems to embed Cesenta Mongoose:
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
>> >
>> > Cheers,
>> >         Moritz
>> >
>> > _______________________________________________
>> > pkg-multimedia-maintainers mailing list
>> > pkg-multimedia-maintainers@alioth-lists.debian.net
>> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
>> >
>> >
>> > --
>> > regards,
>> >     Reinhard
>>
>>
>>
>> --
>> RVM
>
>
>
> --
> regards,
>     Reinhard



-- 
RVM

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#898943; Package src:smplayer. (Mon, 04 Jun 2018 16:51:02 GMT) (full text, mbox, link).

Acknowledgement sent to Reinhard Tartler <siretart@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Mon, 04 Jun 2018 16:51:03 GMT) (full text, mbox, link).

Message #30 received at 898943@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Ok, thanks. That sounds like a good plan!

Reinhard

On Sun, Jun 3, 2018, 19:49 Ricardo Villalba <smplayer.dev@gmail.com> wrote:

> I don't know yet. I guess I'll have to look for another simple web server.
>
>
> 2018-06-03 23:15 GMT+02:00 Reinhard Tartler <siretart@gmail.com>:
> > Thanks for the tip, Ricardo!
> >
> > It appears that disabling that define still compiles (and installs)
> > the vulnerable program. I'll upload a new package that not only
> > disables that define, but also modifies the top-level Makefile to no
> > longer build and install mongoose:
> >
> >
> https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
> >
> > Let me know what you think and what do you intend to do upstream to
> > resolve this issue.
> >
> > Thanks,
> > Reinhard
> > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba <smplayer.dev@gmail.com>
> wrote:
> >>
> >> Hello.
> >>
> >> I wasn't aware of those vulnerabilities in mongoose.
> >> It's possible to disable the support for chromecast in smplayer
> >> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro
> >>
> >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siretart@gmail.com>:
> >> > Hi Richardo,
> >> >
> >> > I'm not sure if you have seen this email, Moritz from the debian
> >> > security team is reporting a release-critical bug in smplayer. More
> >> > specifically, smplayer appears to be using the mongoose webserver
> >> > implementation as in implementation detail of the chromecast
> >> > component.
> >> >
> >> > Having to remove smplayer would be most unfortunate. I checked the
> >> > upstream commits at
> >> > https://github.com/cesanta/mongoose/commits/master, but apparently
> >> > there is no fix available yet. Maybe I'm missing something but if not,
> >> > my question to you is whether we can easily disable the chromecast
> >> > component from the smplayer build?
> >> >
> >> > Please let me know your thoughts on this.
> >> >
> >> > Best,
> >> > Reinhard
> >> >
> >> > ---------- Forwarded message ---------
> >> > From: Moritz Muehlenhoff <jmm@debian.org>
> >> > Date: Thu, May 17, 2018 at 12:51 PM
> >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
> >> > To: Debian Bug Tracking System <submit@bugs.debian.org>
> >> >
> >> >
> >> > Source: smplayer
> >> > Severity: grave
> >> > Tags: security
> >> >
> >> > smplayer seems to embed Cesenta Mongoose:
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
> >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
> >> >
> >> > Cheers,
> >> >         Moritz
> >> >
> >> > _______________________________________________
> >> > pkg-multimedia-maintainers mailing list
> >> > pkg-multimedia-maintainers@alioth-lists.debian.net
> >> >
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
> >> >
> >> >
> >> > --
> >> > regards,
> >> >     Reinhard
> >>
> >>
> >>
> >> --
> >> RVM
> >
> >
> >
> > --
> > regards,
> >     Reinhard
>
>
>
> --
> RVM
>

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#898943; Package src:smplayer. (Tue, 05 Jun 2018 21:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 05 Jun 2018 21:39:04 GMT) (full text, mbox, link).

Message #35 received at 898943@bugs.debian.org (full text, mbox, reply):

On Mon, Jun 04, 2018 at 12:47:48PM -0400, Reinhard Tartler wrote:
> Ok, thanks. That sounds like a good plan!

BTW, I'm not sure if Talos security actually reported these to the
censenta/mongoose upstream project or whether they're doing it
for the security buzz/advertising factor...

I saw that upstream seem to be fairly active, so maybe it's just
a matter of properly reporting these vulnerabilities on their
Github page, letting them fix them and then rebasing the mongoose
copy to the fixed version?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#898943; Package src:smplayer. (Thu, 07 Jun 2018 10:39:07 GMT) (full text, mbox, link).

Acknowledgement sent to Mateusz Łukasik <mati75@linuxmint.pl>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Thu, 07 Jun 2018 10:39:07 GMT) (full text, mbox, link).

Message #40 received at 898943@bugs.debian.org (full text, mbox, reply):

On 04.06.2018 18:47 +0100, Reinhard Tartler wrote:
> Ok, thanks. That sounds like a good plan!
> 
> Reinhard
> 
> On Sun, Jun 3, 2018, 19:49 Ricardo Villalba <smplayer.dev@gmail.com 
> <mailto:smplayer.dev@gmail.com>> wrote:
> 
>     I don't know yet. I guess I'll have to look for another simple web
>     server.
> 
> 
>     2018-06-03 23:15 GMT+02:00 Reinhard Tartler <siretart@gmail.com
>     <mailto:siretart@gmail.com>>:
>      > Thanks for the tip, Ricardo!
>      >
>      > It appears that disabling that define still compiles (and installs)
>      > the vulnerable program. I'll upload a new package that not only
>      > disables that define, but also modifies the top-level Makefile to no
>      > longer build and install mongoose:
>      >
>      >
>     https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch
>      >
>      > Let me know what you think and what do you intend to do upstream to
>      > resolve this issue.
>      >
>      > Thanks,
>      > Reinhard
>      > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba
>     <smplayer.dev@gmail.com <mailto:smplayer.dev@gmail.com>> wrote:
>      >>
>      >> Hello.
>      >>
>      >> I wasn't aware of those vulnerabilities in mongoose.
>      >> It's possible to disable the support for chromecast in smplayer
>      >> commenting the line DEFINES += CHROMECAST_SUPPORT in
>     src/smplayer.pro <http://smplayer.pro>
>      >>
>      >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler <siretart@gmail.com
>     <mailto:siretart@gmail.com>>:
>      >> > Hi Richardo,
>      >> >
>      >> > I'm not sure if you have seen this email, Moritz from the debian
>      >> > security team is reporting a release-critical bug in smplayer.
>     More
>      >> > specifically, smplayer appears to be using the mongoose webserver
>      >> > implementation as in implementation detail of the chromecast
>      >> > component.
>      >> >
>      >> > Having to remove smplayer would be most unfortunate. I checked the
>      >> > upstream commits at
>      >> > https://github.com/cesanta/mongoose/commits/master, but apparently
>      >> > there is no fix available yet. Maybe I'm missing something but
>     if not,
>      >> > my question to you is whether we can easily disable the chromecast
>      >> > component from the smplayer build?
>      >> >
>      >> > Please let me know your thoughts on this.
>      >> >
>      >> > Best,
>      >> > Reinhard
>      >> >
>      >> > ---------- Forwarded message ---------
>      >> > From: Moritz Muehlenhoff <jmm@debian.org <mailto:jmm@debian.org>>
>      >> > Date: Thu, May 17, 2018 at 12:51 PM
>      >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose
>      >> > To: Debian Bug Tracking System <submit@bugs.debian.org
>     <mailto:submit@bugs.debian.org>>
>      >> >
>      >> >
>      >> > Source: smplayer
>      >> > Severity: grave
>      >> > Tags: security
>      >> >
>      >> > smplayer seems to embed Cesenta Mongoose:
>      >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891
>      >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892
>      >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893
>      >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894
>      >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895
>      >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909
>      >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921
>      >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922
>      >> >
>      >> > Cheers,
>      >> >         Moritz
>      >> >
>      >> > _______________________________________________
>      >> > pkg-multimedia-maintainers mailing list
>      >> > pkg-multimedia-maintainers@alioth-lists.debian.net
>     <mailto:pkg-multimedia-maintainers@alioth-lists.debian.net>
>      >> >
>     https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
>      >> >
>      >> >
>      >> > --
>      >> > regards,
>      >> >     Reinhard
>      >>
>      >>
>      >>
>      >> --
>      >> RVM
>      >
>      >
>      >
>      > --
>      > regards,
>      >     Reinhard
> 
> 
> 
>     -- 
>     RVM
> 
> 
> 

Hi,

This is not fixed for me. I made patch with add latest Mongoose version
which included fixed for all of this cve's.
It pushed now to salsa.

-- 
 .''`.  Mateusz Łukasik
: :' :  https://l0calh0st.pl
`. `'   Debian Member - mati75@linuxmint.pl
  `-    GPG: D93B 0C12 C8D0 4D7A AFBC  FA27 CCD9 1D61 11A0 6851

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#898943; Package src:smplayer. (Thu, 07 Jun 2018 13:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Reinhard Tartler <siretart@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Thu, 07 Jun 2018 13:12:03 GMT) (full text, mbox, link).

Message #45 received at 898943@bugs.debian.org (full text, mbox, reply):

On Thu, Jun 7, 2018 at 6:20 AM Mateusz Łukasik <mati75@linuxmint.pl> wrote:

> This is not fixed for me. I made patch with add latest Mongoose version
> which included fixed for all of this cve's.
> It pushed now to salsa.
>
> --

Thank you!

I see that you've added
https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch
- which is a pretty big patch. I wouldn't know how to test it (I don't
use that feature) or even verify that the patch work. Matteusz, can
you please elaborate how you verified the patch  and how confident are
you that it doesn't introduce unwanted side-effects?

Ricardo, would that patch be acceptable for upstream inclusion? - Your
opinion is highly valued and would be helpful in forming an opinion on
Mateusz' patch.

Mateusz, I also see that you prepared a new upstream version. That's
great, in fact, I've also prepared it locally to see if the issue
happened to be fixed upstream, but determined mongosse was not updated
and concluded the problem still persists. I've therefore decided to
not upload the new upstream version and focus on the existing issues
instead. Hence, I've applied the patch to disable the build of
mongoose in the present package version. I see that you disabled it in
https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde
(the commit message didn't help with finding that SHA1, I'd appreciate
more accurate messages in the future) - which is fine by me *if* we
are confident that the mongoose update actually fixes the problem (see
my question above).

Also, did you verify that the new mongoose patch builds with GCC-8? My
patch to disable mongoose takes care of that as well, it would be a
shame to reintroduce #897863 again.

-- 
regards,
    Reinhard

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#898943; Package src:smplayer. (Thu, 07 Jun 2018 19:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ricardo Villalba <smplayer.dev@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Thu, 07 Jun 2018 19:39:03 GMT) (full text, mbox, link).

Message #50 received at 898943@bugs.debian.org (full text, mbox, reply):

I'm already using mongoose 6.11 in the svn of SMPlayer. So far it
seems to work fine for me.

https://app.assembla.com/spaces/smplayer/subversion/commits/9030

2018-06-07 15:08 GMT+02:00 Reinhard Tartler <siretart@gmail.com>:
> On Thu, Jun 7, 2018 at 6:20 AM Mateusz Łukasik <mati75@linuxmint.pl> wrote:
>
>> This is not fixed for me. I made patch with add latest Mongoose version
>> which included fixed for all of this cve's.
>> It pushed now to salsa.
>>
>> --
>
> Thank you!
>
> I see that you've added
> https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch
> - which is a pretty big patch. I wouldn't know how to test it (I don't
> use that feature) or even verify that the patch work. Matteusz, can
> you please elaborate how you verified the patch  and how confident are
> you that it doesn't introduce unwanted side-effects?
>
> Ricardo, would that patch be acceptable for upstream inclusion? - Your
> opinion is highly valued and would be helpful in forming an opinion on
> Mateusz' patch.
>
> Mateusz, I also see that you prepared a new upstream version. That's
> great, in fact, I've also prepared it locally to see if the issue
> happened to be fixed upstream, but determined mongosse was not updated
> and concluded the problem still persists. I've therefore decided to
> not upload the new upstream version and focus on the existing issues
> instead. Hence, I've applied the patch to disable the build of
> mongoose in the present package version. I see that you disabled it in
> https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde
> (the commit message didn't help with finding that SHA1, I'd appreciate
> more accurate messages in the future) - which is fine by me *if* we
> are confident that the mongoose update actually fixes the problem (see
> my question above).
>
> Also, did you verify that the new mongoose patch builds with GCC-8? My
> patch to disable mongoose takes care of that as well, it would be a
> shame to reintroduce #897863 again.
>
> --
> regards,
>     Reinhard



-- 
RVM

Message sent on to Moritz Muehlenhoff <jmm@debian.org>:
Bug#898943. (Fri, 08 Jun 2018 00:09:07 GMT) (full text, mbox, link).

Message #53 received at 898943-submitter@bugs.debian.org (full text, mbox, reply):

Control: tag -1 pending

Hello,

Bug #898943 in smplayer reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/multimedia-team/smplayer/commit/d1f3aaeda717076c1761f0aebb56681a5c4ce435

------------------------------------------------------------------------
Add debian/patches/03-update-mongoose-to-6.11.patch:
    - Fix CVE-2017-2891, CVE-2017-2892, CVE-2017-2893, CVE-2017-2894,
      CVE-2017-2895, CVE-2017-2909, CVE-2017-2921, CVE-2017-2922. (Closes: #898943)
  * Add debian/patches/07-fix-ftbfs-gcc8.patch:
    - Fix FTBFS with gcc-8. (Closes: #897863)

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/898943

Added tag(s) pending. Request was from mati75@linuxmint.pl to 898943-submitter@bugs.debian.org. (Fri, 08 Jun 2018 00:09:07 GMT) (full text, mbox, link).

Reply sent to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility. (Mon, 18 Jun 2018 19:39:07 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 18 Jun 2018 19:39:07 GMT) (full text, mbox, link).

Message #60 received at 898943-close@bugs.debian.org (full text, mbox, reply):

Source: smplayer
Source-Version: 18.5.0~ds1-1

We believe that the bug you reported is fixed in the latest version of
smplayer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 898943@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated smplayer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 18 Jun 2018 14:58:36 -0400
Source: smplayer
Binary: smplayer smplayer-l10n
Architecture: source
Version: 18.5.0~ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
 smplayer   - Complete front-end for MPlayer and mpv
 smplayer-l10n - Complete front-end for MPlayer and mpv - translation files
Closes: 897863 898943
Changes:
 smplayer (18.5.0~ds1-1) unstable; urgency=medium
 .
   [ Reinhard Tartler ]
   * New upstream release.
    * Disable chromecast support to workaround security issues in the
      "simple web server" mongoose (Closes: #898943)
 .
   [ Mateusz Łukasik ]
   * Add debian/patches/07-fix-ftbfs-gcc8.patch:
     - Fix FTBFS with gcc-8. (Closes: #897863)
Checksums-Sha1:
 cb7e0a81df0ad9355044a885551ba27ef6ae68cd 2317 smplayer_18.5.0~ds1-1.dsc
 d43065cd07c66e8b354be1d929a98e25a9805fd1 4585206 smplayer_18.5.0~ds1.orig.tar.bz2
 05f419da4c67210cb33009d7a1be53dd411b97fc 15160 smplayer_18.5.0~ds1-1.debian.tar.xz
Checksums-Sha256:
 c0af90e30fbcd0016be28cacddd772b25777ee4d90322f037cb1cba352100c3a 2317 smplayer_18.5.0~ds1-1.dsc
 1e0f17b34527157c33a397b3e2cc8472a9e01c6786f62494771fea81afd8fbee 4585206 smplayer_18.5.0~ds1.orig.tar.bz2
 e87120186934b3dfadb0179b6751720bfe52d45eec8c4b05f67742b4ddde9daa 15160 smplayer_18.5.0~ds1-1.debian.tar.xz
Files:
 a16ce37494288323d44f09ce3e163a8d 2317 video optional smplayer_18.5.0~ds1-1.dsc
 09c5fab8d18acde34991c71d922fcc2a 4585206 video optional smplayer_18.5.0~ds1.orig.tar.bz2
 3dcfdaca497a397eb832a38e063d8497 15160 video optional smplayer_18.5.0~ds1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEE6n5rckvJ+/LRcetya3IL6cXPbZ4FAlsoBHQUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQa3IL6cXPbZ6O6BAAhPPvYGxXhIrQuJ+o/WdG+HHxRNz0
Z7uIbpvBOdJ99sTBvkmg9mGj/T2jGk/t4skn7Dl+GEnZqtAx+IlesbyRAButxTIO
Ygr7NJGGstpSaqrmix2XRcW9oTAxkBZgZAy6TFmc/asBwZsdWyzyh4Hd2wsCRgNr
P7Ophfe1e9oj7WuxcY0Z4+D5LbJogaPXEu01ul/3Co5oV3tRLvPHRg6hJpNPiOiM
kSm83rKDh4QqAZKKio3T4jB0I+xGWiNormFuDPP08Fj2bNujEnR3Pg7kbfWrfHUt
mn6B5Ei5paX/LHUwxblLlwy2MJ2UHqqvcfvIug799+FtlEMMxJTHjks0lLMhHHeS
qoAQTRcrnOdxCRY0xg7XjFt6NJF/meFI2wcih9yM4/BQNVS77Ak6FAYWWN31Llqn
znJbKMANG23KoC8Pb0gKpVTXTjZHG1Th+ZlfaBlfwzWmz92zOU2iL6KTnOv8H00H
Stq+P9vIvTF5IzXD73TwTjr/O1ZsWydMXJxZ8TJoFifknsJdFfjrC7SDV+wKGxCX
yuOXCO/VDx22ZELJqc4GtZluN8Y0oASfCX3fshO5uJr3/O6tIneSRiw08KL3ZxaG
CvvRjRWk6miekz3cri2zYbBk9TsgY8k1OCnA4nafSC9o2cHWu2j7PfUDOvNSatkO
+UC721ZPK+3jQDc=
=lGUZ
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 17 Jul 2018 07:33:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:55:50 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Multiple vulnerabiliities in Mongoose

Debian Bug report logs - #898943
Multiple vulnerabiliities in Mongoose

Vulmon Search

About

Products

Connect

Multiple vulnerabiliities in Mongoose

Debian Bug report logs - #898943 Multiple vulnerabiliities in Mongoose

Vulmon Search

About

Products

Connect

Debian Bug report logs - #898943
Multiple vulnerabiliities in Mongoose