Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#57442 - [mpv] CVE-2018-6360: arbitrary code execution
Attached to Project:
Community Packages
Opened by Baptiste (zorun) - Friday, 09 February 2018, 08:02 GMT
Last edited by Christian Hesse (eworm) - Monday, 12 February 2018, 07:08 GMT
Opened by Baptiste (zorun) - Friday, 09 February 2018, 08:02 GMT
Last edited by Christian Hesse (eworm) - Monday, 12 February 2018, 07:08 GMT
|
Details https://security-tracker.debian.org/tracker/CVE-2018-6360
"mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL." See discussion and patches here: https://github.com/mpv-player/mpv/issues/5456 Debian took 3 patches: e6e6b0dcc7e9, f8263e82cc74 and ce42a965330d |
This task depends upon
Closed by Christian Hesse (eworm)
Monday, 12 February 2018, 07:08 GMT
Reason for closing: Fixed
Additional comments about closing: mpv 0.27.1-1
Monday, 12 February 2018, 07:08 GMT
Reason for closing: Fixed
Additional comments about closing: mpv 0.27.1-1
Comment by Ricardo (RiCON) -
Saturday, 10 February 2018, 15:10 GMT
Patch release v0.27.1 was made upstream, btw: https://github.com/mpv-player/mpv/releases/tag/v0.27.1