Bug#888654: mpv: CVE-2018-6360
Hi, On 06/02/18 18:08, Luciano Bello wrote: > On 2018-02-03 09:13, James Cowgill wrote: >> Unlike the backport for 0.27 which was fairly straightforward, the >> backport for 0.23 required significant changes and I ended up rewriting >> half of it. This means I am less confident about catching all the cases >> to fix this bug. It would be good if anyone could check it over. > > I tested the PoC (probably as you) and seems fixed. I tried to cover > under branches and they also look sanitized. I feel as confident as > somebody can be that the patch is complete. It seems functionally safe. > > Thanks for your work, please upload. Thanks for testing! I've uploaded it. James signature.asc Description: OpenPGP digital signature
Bug#888654: mpv: CVE-2018-6360
On 2018-02-03 09:13, James Cowgill wrote: > Unlike the backport for 0.27 which was fairly straightforward, the > backport for 0.23 required significant changes and I ended up rewriting > half of it. This means I am less confident about catching all the cases > to fix this bug. It would be good if anyone could check it over. I tested the PoC (probably as you) and seems fixed. I tried to cover under branches and they also look sanitized. I feel as confident as somebody can be that the patch is complete. It seems functionally safe. Thanks for your work, please upload. /luciano signature.asc Description: OpenPGP digital signature
Bug#888654: mpv: CVE-2018-6360
Hi, On 28/01/18 14:17, Salvatore Bonaccorso wrote: > Source: mpv > Version: 0.23.0-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/mpv-player/mpv/issues/5456 > > Hi, > > the following vulnerability was published for mpv. > > CVE-2018-6360[0]: > | mpv through 0.28.0 allows remote attackers to execute arbitrary code > | via a crafted web site, because it reads HTML documents containing > | VIDEO elements, and accepts arbitrary URLs in a src attribute without a > | protocol whitelist in player/lua/ytdl_hook.lua. For example, an > | av://lavfi:ladspa=file= URL signifies that the product should call > | dlopen on a shared object file located at an arbitrary local pathname. > | The issue exists because the product does not consider that youtube-dl > | can provide a potentially unsafe URL. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. I have attempted to backport the upstream patch to fix this and committed it to the mpv repository on salsa. The diff is here: https://salsa.debian.org/multimedia-team/mpv/compare/debian%2F0.23.0-2...debian%2Fstretch Unlike the backport for 0.27 which was fairly straightforward, the backport for 0.23 required significant changes and I ended up rewriting half of it. This means I am less confident about catching all the cases to fix this bug. It would be good if anyone could check it over. Thanks, James signature.asc Description: OpenPGP digital signature
Bug#888654: mpv: CVE-2018-6360
Source: mpv Version: 0.23.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/mpv-player/mpv/issues/5456 Hi, the following vulnerability was published for mpv. CVE-2018-6360[0]: | mpv through 0.28.0 allows remote attackers to execute arbitrary code | via a crafted web site, because it reads HTML documents containing | VIDEO elements, and accepts arbitrary URLs in a src attribute without a | protocol whitelist in player/lua/ytdl_hook.lua. For example, an | av://lavfi:ladspa=file= URL signifies that the product should call | dlopen on a shared object file located at an arbitrary local pathname. | The issue exists because the product does not consider that youtube-dl | can provide a potentially unsafe URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-6360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 [1] https://github.com/mpv-player/mpv/issues/5456 Regards, Salvatore