Bug#888654: mpv: CVE-2018-6360

2018-02-06 Thread James Cowgill
Hi,

On 06/02/18 18:08, Luciano Bello wrote:
> On 2018-02-03 09:13, James Cowgill wrote:
>> Unlike the backport for 0.27 which was fairly straightforward, the
>> backport for 0.23 required significant changes and I ended up rewriting
>> half of it. This means I am less confident about catching all the cases
>> to fix this bug. It would be good if anyone could check it over.
> 
> I tested the PoC (probably as you) and seems fixed. I tried to cover
> under branches and they also look sanitized. I feel as confident as
> somebody can be that the patch is complete. It seems functionally safe.
> 
> Thanks for your work, please upload.

Thanks for testing! I've uploaded it.

James



signature.asc
Description: OpenPGP digital signature


Bug#888654: mpv: CVE-2018-6360

2018-02-06 Thread Luciano Bello
On 2018-02-03 09:13, James Cowgill wrote:
> Unlike the backport for 0.27 which was fairly straightforward, the
> backport for 0.23 required significant changes and I ended up rewriting
> half of it. This means I am less confident about catching all the cases
> to fix this bug. It would be good if anyone could check it over.

I tested the PoC (probably as you) and seems fixed. I tried to cover
under branches and they also look sanitized. I feel as confident as
somebody can be that the patch is complete. It seems functionally safe.

Thanks for your work, please upload.

/luciano



signature.asc
Description: OpenPGP digital signature


Bug#888654: mpv: CVE-2018-6360

2018-02-03 Thread James Cowgill
Hi,

On 28/01/18 14:17, Salvatore Bonaccorso wrote:
> Source: mpv
> Version: 0.23.0-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://github.com/mpv-player/mpv/issues/5456
> 
> Hi,
> 
> the following vulnerability was published for mpv.
> 
> CVE-2018-6360[0]:
> | mpv through 0.28.0 allows remote attackers to execute arbitrary code
> | via a crafted web site, because it reads HTML documents containing
> | VIDEO elements, and accepts arbitrary URLs in a src attribute without a
> | protocol whitelist in player/lua/ytdl_hook.lua. For example, an
> | av://lavfi:ladspa=file= URL signifies that the product should call
> | dlopen on a shared object file located at an arbitrary local pathname.
> | The issue exists because the product does not consider that youtube-dl
> | can provide a potentially unsafe URL.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I have attempted to backport the upstream patch to fix this and
committed it to the mpv repository on salsa. The diff is here:

https://salsa.debian.org/multimedia-team/mpv/compare/debian%2F0.23.0-2...debian%2Fstretch

Unlike the backport for 0.27 which was fairly straightforward, the
backport for 0.23 required significant changes and I ended up rewriting
half of it. This means I am less confident about catching all the cases
to fix this bug. It would be good if anyone could check it over.

Thanks,
James



signature.asc
Description: OpenPGP digital signature


Bug#888654: mpv: CVE-2018-6360

2018-01-28 Thread Salvatore Bonaccorso
Source: mpv
Version: 0.23.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/mpv-player/mpv/issues/5456

Hi,

the following vulnerability was published for mpv.

CVE-2018-6360[0]:
| mpv through 0.28.0 allows remote attackers to execute arbitrary code
| via a crafted web site, because it reads HTML documents containing
| VIDEO elements, and accepts arbitrary URLs in a src attribute without a
| protocol whitelist in player/lua/ytdl_hook.lua. For example, an
| av://lavfi:ladspa=file= URL signifies that the product should call
| dlopen on a shared object file located at an arbitrary local pathname.
| The issue exists because the product does not consider that youtube-dl
| can provide a potentially unsafe URL.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-6360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
[1] https://github.com/mpv-player/mpv/issues/5456

Regards,
Salvatore