aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2018-02-07 14:59:05 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2018-02-07 14:59:12 +0000
commitcb35795acccd2a18d6a4c0f284f156c73867fe90 (patch)
tree71ad8c554a22de80aeffdb3079454e60701b71b6
parentf6dbda6d21a3c65a7895b41b4c1ed97adef1ca28 (diff)
downloadaports-cb35795acccd2a18d6a4c0f284f156c73867fe90.tar.bz2
aports-cb35795acccd2a18d6a4c0f284f156c73867fe90.tar.xz
community/mpv: security fix CVE-2018-6360
-rw-r--r--community/mpv/APKBUILD13
-rw-r--r--community/mpv/CVE-2018-6360.patch105
2 files changed, 115 insertions, 3 deletions
diff --git a/community/mpv/APKBUILD b/community/mpv/APKBUILD
index 1301ec5a7a..8c18ef34dc 100644
--- a/community/mpv/APKBUILD
+++ b/community/mpv/APKBUILD
@@ -5,7 +5,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mpv
pkgver=0.27.0
-pkgrel=2
+pkgrel=3
pkgdesc="Video player based on MPlayer/mplayer2"
url="https://mpv.io/"
arch="all"
@@ -20,9 +20,15 @@ subpackages="
$pkgname-libs
$pkgname-zsh-completion:zshcomp:noarch"
source="$pkgname-$pkgver.tar.gz::https://github.com/mpv-player/$pkgname/archive/v$pkgver.tar.gz
- fix-libva2.patch"
+ fix-libva2.patch
+ CVE-2018-6360.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 0.27.0-r3:
+# - CVE-2018-6360
+
prepare() {
default_prepare
@@ -69,4 +75,5 @@ zshcomp() {
}
sha512sums="22738f907d84d362095773972f685e3b03ab4c8172a22ddede290fc221a83ab9135b96f8b18191dabe842b2963f68983929cf065097287fc1a054a7d5f1d0ae4 mpv-0.27.0.tar.gz
-43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84 fix-libva2.patch"
+43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84 fix-libva2.patch
+59418020e66b48d27e8822fe2ccab9bb61a2a8fe0becb4bcadd8580f58785ab1d568f62af0edda43e3dab7ed76bb607ce6e6ced64cd2bda5fc2c346c1a0d9f13 CVE-2018-6360.patch"
diff --git a/community/mpv/CVE-2018-6360.patch b/community/mpv/CVE-2018-6360.patch
new file mode 100644
index 0000000000..c5c4f54f40
--- /dev/null
+++ b/community/mpv/CVE-2018-6360.patch
@@ -0,0 +1,105 @@
+Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl
+ This patch is a combination of these upstream commits:
+ - e6e6b0dcc7e9 ("ytdl_hook: whitelist protocols from urls retrieved from
+ youtube-dl")
+ - f8263e82cc74 ("ytdl_hook: move url_is_safe earlier in code")
+ - ce42a965330d ("ytdl_hook: fix safe url checking with EDL urls")
+ .
+ jcowgill: backported to 0.27
+ Fixes CVE-2018-6360
+Author: Ricardo Constantino <wiiaboo@gmail.com>
+Bug: https://github.com/mpv-player/mpv/issues/5456
+Bug-Debian: https://bugs.debian.org/888654
+Applied-Upstream: v0.29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -15,6 +15,18 @@ local ytdl = {
+
+ local chapter_list = {}
+
++function Set (t)
++ local set = {}
++ for _, v in pairs(t) do set[v] = true end
++ return set
++end
++
++local safe_protos = Set {
++ "http", "https", "ftp", "ftps",
++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
++ "data"
++}
++
+ local function exec(args)
+ local ret = utils.subprocess({args = args})
+ return ret.status, ret.stdout, ret
+@@ -71,6 +83,15 @@ local function edl_escape(url)
+ return "%" .. string.len(url) .. "%" .. url
+ end
+
++local function url_is_safe(url)
++ local proto = type(url) == "string" and url:match("^(.+)://") or nil
++ local safe = proto and safe_protos[proto]
++ if not safe then
++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++ end
++ return safe
++end
++
+ local function time_to_secs(time_string)
+ local ret
+
+@@ -182,6 +203,9 @@ local function edl_track_joined(fragment
+
+ for i = offset, #fragments do
+ local fragment = fragments[i]
++ if not url_is_safe(join_url(base, fragment)) then
++ return nil
++ end
+ table.insert(parts, edl_escape(join_url(base, fragment)))
+ if fragment.duration then
+ parts[#parts] =
+@@ -201,6 +225,9 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(track.fragments,
+ track.protocol, json.is_live,
+ track.fragment_base_url)
++ if not edl_track and not url_is_safe(track.url) then
++ return
++ end
+ if track.acodec and track.acodec ~= "none" then
+ -- audio track
+ mp.commandv("audio-add",
+@@ -217,6 +244,9 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(json.fragments, json.protocol,
+ json.is_live, json.fragment_base_url)
+
++ if not edl_track and not url_is_safe(json.url) then
++ return
++ end
+ -- normal video or single track
+ streamurl = edl_track or json.url
+ set_http_headers(json.http_headers)
+@@ -408,6 +438,10 @@ mp.add_hook("on_load", 10, function ()
+
+ msg.debug("EDL: " .. playlist)
+
++ if not playlist then
++ return
++ end
++
+ -- can't change the http headers for each entry, so use the 1st
+ if json.entries[1] then
+ set_http_headers(json.entries[1].http_headers)
+@@ -475,7 +509,9 @@ mp.add_hook("on_load", 10, function ()
+ site = entry["webpage_url"]
+ end
+
+- playlist = playlist .. "ytdl://" .. site .. "\n"
++ if url_is_safe(site) then
++ playlist = playlist .. "ytdl://" .. site .. "\n"
++ end
+ end
+
+ mp.set_property("stream-open-filename", "memory://" .. playlist)