Hi, On 28/01/18 14:17, Salvatore Bonaccorso wrote: > Source: mpv > Version: 0.23.0-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/mpv-player/mpv/issues/5456 > > Hi, > > the following vulnerability was published for mpv. > > CVE-2018-6360[0]: > | mpv through 0.28.0 allows remote attackers to execute arbitrary code > | via a crafted web site, because it reads HTML documents containing > | VIDEO elements, and accepts arbitrary URLs in a src attribute without a > | protocol whitelist in player/lua/ytdl_hook.lua. For example, an > | av://lavfi:ladspa=file= URL signifies that the product should call > | dlopen on a shared object file located at an arbitrary local pathname. > | The issue exists because the product does not consider that youtube-dl > | can provide a potentially unsafe URL. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I have attempted to backport the upstream patch to fix this and committed it to the mpv repository on salsa. The diff is here: https://salsa.debian.org/multimedia-team/mpv/compare/debian%2F0.23.0-2...debian%2Fstretch Unlike the backport for 0.27 which was fairly straightforward, the backport for 0.23 required significant changes and I ended up rewriting half of it. This means I am less confident about catching all the cases to fix this bug. It would be good if anyone could check it over. Thanks, James
signature.asc
Description: OpenPGP digital signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
