Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#57442 - [mpv] CVE-2018-6360: arbitrary code execution

Attached to Project: Community Packages
Opened by Baptiste (zorun) - Friday, 09 February 2018, 08:02 GMT
Last edited by Christian Hesse (eworm) - Monday, 12 February 2018, 07:08 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Christian Hesse (eworm)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

https://security-tracker.debian.org/tracker/CVE-2018-6360

"mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL."

See discussion and patches here: https://github.com/mpv-player/mpv/issues/5456

Debian took 3 patches: e6e6b0dcc7e9, f8263e82cc74 and ce42a965330d
This task depends upon

Closed by  Christian Hesse (eworm)
Monday, 12 February 2018, 07:08 GMT
Reason for closing:  Fixed
Additional comments about closing:  mpv 0.27.1-1
Comment by Ricardo (RiCON) - Saturday, 10 February 2018, 15:10 GMT
Patch release v0.27.1 was made upstream, btw: https://github.com/mpv-player/mpv/releases/tag/v0.27.1

Loading...