On Thu, Jun 7, 2018 at 6:20 AM Mateusz Łukasik <mat...@linuxmint.pl> wrote:
> This is not fixed for me. I made patch with add latest Mongoose version > which included fixed for all of this cve's. > It pushed now to salsa. > > -- Thank you! I see that you've added https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch - which is a pretty big patch. I wouldn't know how to test it (I don't use that feature) or even verify that the patch work. Matteusz, can you please elaborate how you verified the patch and how confident are you that it doesn't introduce unwanted side-effects? Ricardo, would that patch be acceptable for upstream inclusion? - Your opinion is highly valued and would be helpful in forming an opinion on Mateusz' patch. Mateusz, I also see that you prepared a new upstream version. That's great, in fact, I've also prepared it locally to see if the issue happened to be fixed upstream, but determined mongosse was not updated and concluded the problem still persists. I've therefore decided to not upload the new upstream version and focus on the existing issues instead. Hence, I've applied the patch to disable the build of mongoose in the present package version. I see that you disabled it in https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde (the commit message didn't help with finding that SHA1, I'd appreciate more accurate messages in the future) - which is fine by me *if* we are confident that the mongoose update actually fixes the problem (see my question above). Also, did you verify that the new mongoose patch builds with GCC-8? My patch to disable mongoose takes care of that as well, it would be a shame to reintroduce #897863 again. -- regards, Reinhard
