On Sun, Jun 3, 2018 at 9:36 PM Jonas Smedegaard <d...@jones.dk> wrote: > > Hi Reinhard, > > Excerpts from Reinhard Tartler's message of juni 3, 2018 10:48 pm: > > On Mon, Jul 31, 2017 at 1:48 AM Jonas Smedegaard <d...@jones.dk> wrote: > >> smplayer includes code in src/basegui.cpp to download and (I guess) > >> execute javascript code for parsing youtube paths. The download URL > >> is http://updates.smplayer.info/yt.js which is insecure and therefore > >> I suspect easy to replace with evil code. > > > > Apparently, this was already fixed upstream quite some time ago in > > package version 17.11.2~ds0-1 without mentioning this in > > debian/changelog. I'm therefore closing this bug manually. > > Sorry, but I don't see any such change, and it seems the problematic > code is still there: > > > $ git grep updates.smplayer.info > src/links.h:#define URL_YT_CODE "http://updates.smplayer.info/yt.js"; > src/links.h:#define URL_VERSION_INFO > "http://updates.smplayer.info/version_info.ini"; > > > $ grep -C5 URL_YT_CODE src/basegui.cpp > void BaseGui::YTUpdateScript() { > static CodeDownloader * downloader = 0; > if (!downloader) downloader = new CodeDownloader(this); > downloader->saveAs(Paths::configPath() + "/yt.js"); > downloader->show(); > downloader->download(QUrl(URL_YT_CODE)); > } > #endif // YT_USE_YTSIG > #endif //YOUTUBE_SUPPORT > > void BaseGui::gotForbidden() { > > > Could you perhaps reference the git commit you believe fixed this?
>From Matteusz' patch 2831d03e5e7cbb9328469ad92e0fea8ec19ee943 in the 'stretch' branch (unfortunately not uploaded to salsa yet, Matteusz, do you happen to have the jessie and stretch branches available on your computer? If so, please kindly upload them to salsa - I found it in my mail archive), I conclude that in order to solve the issue, we need to make sure that the define YT_USE_YTSIG is not set: diff --git a/debian/patches/07-fixyoutube.patch b/debian/patches/07-fixyoutube.patch index b968a03..78d3fe5 100644 --- a/debian/patches/07-fixyoutube.patch +++ b/debian/patches/07-fixyoutube.patch @@ -1,5 +1,6 @@ Description: Fix connections to youtube. Bug-Debian: http://bugs.debian.org/869411 +Author: Ricardo Villalba <r...@escomposlinux.org> --- a/src/youtube/sig.cpp +++ b/src/youtube/sig.cpp diff --git a/debian/patches/08-870233.patch b/debian/patches/08-870233.patch new file mode 100644 index 0000000..d6a0975 --- /dev/null +++ b/debian/patches/08-870233.patch @@ -0,0 +1,16 @@ +Description: Disable executes javascript code downloaded from insecure URL +Author: Mateusz Ĺukasik <mat...@linuxmint.pl> +Bug-Debian: https://bugs.debian.org/870233 +Last-Update: 2017-07-31 + +--- a/src/smplayer.pro ++++ b/src/smplayer.pro +@@ -439,7 +439,7 @@ contains( DEFINES, YOUTUBE_SUPPORT ) { + + contains( DEFINES, YT_USE_SCRIPT ) { + DEFINES += YT_USE_SIG +- DEFINES += YT_USE_YTSIG ++ #DEFINES += YT_USE_YTSIG + QT += script + } + This is done as per upstream version 17.11.2 and that's why I have closed the bug with that version. It appears to me that undefining URL_YT_CODE disables more functionality than strictly necessary, but I may be misreading the code. In any case, comments on this are more than welcome. I'd also appreciate comments from Richardo, who is listed as the author of the patch. Jonas, do you have reason to believe that the bug is still present in the 18.2.2 (the version that is currently in unstable)? If so, please elaborate. Best, Reinhard
