diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-02-07 14:59:05 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-02-07 14:59:12 +0000 |
commit | cb35795acccd2a18d6a4c0f284f156c73867fe90 (patch) | |
tree | 71ad8c554a22de80aeffdb3079454e60701b71b6 | |
parent | f6dbda6d21a3c65a7895b41b4c1ed97adef1ca28 (diff) | |
download | aports-cb35795acccd2a18d6a4c0f284f156c73867fe90.tar.bz2 aports-cb35795acccd2a18d6a4c0f284f156c73867fe90.tar.xz |
community/mpv: security fix CVE-2018-6360
-rw-r--r-- | community/mpv/APKBUILD | 13 | ||||
-rw-r--r-- | community/mpv/CVE-2018-6360.patch | 105 |
2 files changed, 115 insertions, 3 deletions
diff --git a/community/mpv/APKBUILD b/community/mpv/APKBUILD index 1301ec5a7a..8c18ef34dc 100644 --- a/community/mpv/APKBUILD +++ b/community/mpv/APKBUILD @@ -5,7 +5,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mpv pkgver=0.27.0 -pkgrel=2 +pkgrel=3 pkgdesc="Video player based on MPlayer/mplayer2" url="https://mpv.io/" arch="all" @@ -20,9 +20,15 @@ subpackages=" $pkgname-libs $pkgname-zsh-completion:zshcomp:noarch" source="$pkgname-$pkgver.tar.gz::https://github.com/mpv-player/$pkgname/archive/v$pkgver.tar.gz - fix-libva2.patch" + fix-libva2.patch + CVE-2018-6360.patch + " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 0.27.0-r3: +# - CVE-2018-6360 + prepare() { default_prepare @@ -69,4 +75,5 @@ zshcomp() { } sha512sums="22738f907d84d362095773972f685e3b03ab4c8172a22ddede290fc221a83ab9135b96f8b18191dabe842b2963f68983929cf065097287fc1a054a7d5f1d0ae4 mpv-0.27.0.tar.gz -43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84 fix-libva2.patch" +43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84 fix-libva2.patch +59418020e66b48d27e8822fe2ccab9bb61a2a8fe0becb4bcadd8580f58785ab1d568f62af0edda43e3dab7ed76bb607ce6e6ced64cd2bda5fc2c346c1a0d9f13 CVE-2018-6360.patch" diff --git a/community/mpv/CVE-2018-6360.patch b/community/mpv/CVE-2018-6360.patch new file mode 100644 index 0000000000..c5c4f54f40 --- /dev/null +++ b/community/mpv/CVE-2018-6360.patch @@ -0,0 +1,105 @@ +Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl + This patch is a combination of these upstream commits: + - e6e6b0dcc7e9 ("ytdl_hook: whitelist protocols from urls retrieved from + youtube-dl") + - f8263e82cc74 ("ytdl_hook: move url_is_safe earlier in code") + - ce42a965330d ("ytdl_hook: fix safe url checking with EDL urls") + . + jcowgill: backported to 0.27 + Fixes CVE-2018-6360 +Author: Ricardo Constantino <wiiaboo@gmail.com> +Bug: https://github.com/mpv-player/mpv/issues/5456 +Bug-Debian: https://bugs.debian.org/888654 +Applied-Upstream: v0.29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -15,6 +15,18 @@ local ytdl = { + + local chapter_list = {} + ++function Set (t) ++ local set = {} ++ for _, v in pairs(t) do set[v] = true end ++ return set ++end ++ ++local safe_protos = Set { ++ "http", "https", "ftp", "ftps", ++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte", ++ "data" ++} ++ + local function exec(args) + local ret = utils.subprocess({args = args}) + return ret.status, ret.stdout, ret +@@ -71,6 +83,15 @@ local function edl_escape(url) + return "%" .. string.len(url) .. "%" .. url + end + ++local function url_is_safe(url) ++ local proto = type(url) == "string" and url:match("^(.+)://") or nil ++ local safe = proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function time_to_secs(time_string) + local ret + +@@ -182,6 +203,9 @@ local function edl_track_joined(fragment + + for i = offset, #fragments do + local fragment = fragments[i] ++ if not url_is_safe(join_url(base, fragment)) then ++ return nil ++ end + table.insert(parts, edl_escape(join_url(base, fragment))) + if fragment.duration then + parts[#parts] = +@@ -201,6 +225,9 @@ local function add_single_video(json) + edl_track = edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) ++ if not edl_track and not url_is_safe(track.url) then ++ return ++ end + if track.acodec and track.acodec ~= "none" then + -- audio track + mp.commandv("audio-add", +@@ -217,6 +244,9 @@ local function add_single_video(json) + edl_track = edl_track_joined(json.fragments, json.protocol, + json.is_live, json.fragment_base_url) + ++ if not edl_track and not url_is_safe(json.url) then ++ return ++ end + -- normal video or single track + streamurl = edl_track or json.url + set_http_headers(json.http_headers) +@@ -408,6 +438,10 @@ mp.add_hook("on_load", 10, function () + + msg.debug("EDL: " .. playlist) + ++ if not playlist then ++ return ++ end ++ + -- can't change the http headers for each entry, so use the 1st + if json.entries[1] then + set_http_headers(json.entries[1].http_headers) +@@ -475,7 +509,9 @@ mp.add_hook("on_load", 10, function () + site = entry["webpage_url"] + end + +- playlist = playlist .. "ytdl://" .. site .. "\n" ++ if url_is_safe(site) then ++ playlist = playlist .. "ytdl://" .. site .. "\n" ++ end + end + + mp.set_property("stream-open-filename", "memory://" .. playlist) |