Bug#888654: mpv: CVE-2018-6360

James Cowgill jcowgill at debian.org
Sat Feb 3 14:13:47 UTC 2018


Hi,

On 28/01/18 14:17, Salvatore Bonaccorso wrote:
> Source: mpv
> Version: 0.23.0-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://github.com/mpv-player/mpv/issues/5456
> 
> Hi,
> 
> the following vulnerability was published for mpv.
> 
> CVE-2018-6360[0]:
> | mpv through 0.28.0 allows remote attackers to execute arbitrary code
> | via a crafted web site, because it reads HTML documents containing
> | VIDEO elements, and accepts arbitrary URLs in a src attribute without a
> | protocol whitelist in player/lua/ytdl_hook.lua. For example, an
> | av://lavfi:ladspa=file= URL signifies that the product should call
> | dlopen on a shared object file located at an arbitrary local pathname.
> | The issue exists because the product does not consider that youtube-dl
> | can provide a potentially unsafe URL.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I have attempted to backport the upstream patch to fix this and
committed it to the mpv repository on salsa. The diff is here:

https://salsa.debian.org/multimedia-team/mpv/compare/debian%2F0.23.0-2...debian%2Fstretch

Unlike the backport for 0.27 which was fairly straightforward, the
backport for 0.23 required significant changes and I ended up rewriting
half of it. This means I am less confident about catching all the cases
to fix this bug. It would be good if anyone could check it over.

Thanks,
James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20180203/3a4bebfa/attachment.sig>


More information about the pkg-multimedia-maintainers mailing list