community/mpv: security fix CVE-2018-6360

2 files changed, 115 insertions, 3 deletions

diff --git a/community/mpv/APKBUILD b/community/mpv/APKBUILD
index 1301ec5a7a..8c18ef34dc 100644
--- a/community/mpv/APKBUILD
+++ b/community/mpv/APKBUILD
@@ -5,7 +5,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mpv
 pkgver=0.27.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Video player based on MPlayer/mplayer2"
 url="https://mpv.io/"
 arch="all"
@@ -20,9 +20,15 @@ subpackages="
 	$pkgname-libs
 	$pkgname-zsh-completion:zshcomp:noarch"
 source="$pkgname-$pkgver.tar.gz::https://github.com/mpv-player/$pkgname/archive/v$pkgver.tar.gz
-	fix-libva2.patch"
+	fix-libva2.patch
+	CVE-2018-6360.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   0.27.0-r3:
+#     - CVE-2018-6360
+
 prepare() {
 	default_prepare
 
@@ -69,4 +75,5 @@ zshcomp() {
 }
 
 sha512sums="22738f907d84d362095773972f685e3b03ab4c8172a22ddede290fc221a83ab9135b96f8b18191dabe842b2963f68983929cf065097287fc1a054a7d5f1d0ae4  mpv-0.27.0.tar.gz
-43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84  fix-libva2.patch"
+43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84  fix-libva2.patch
+59418020e66b48d27e8822fe2ccab9bb61a2a8fe0becb4bcadd8580f58785ab1d568f62af0edda43e3dab7ed76bb607ce6e6ced64cd2bda5fc2c346c1a0d9f13  CVE-2018-6360.patch"
diff --git a/community/mpv/CVE-2018-6360.patch b/community/mpv/CVE-2018-6360.patch
new file mode 100644
index 0000000000..c5c4f54f40
--- /dev/null
+++ b/community/mpv/CVE-2018-6360.patch
@@ -0,0 +1,105 @@
+Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl
+ This patch is a combination of these upstream commits:
+ - e6e6b0dcc7e9 ("ytdl_hook: whitelist protocols from urls retrieved from
+   youtube-dl")
+ - f8263e82cc74 ("ytdl_hook: move url_is_safe earlier in code")
+ - ce42a965330d ("ytdl_hook: fix safe url checking with EDL urls")
+ .
+ jcowgill: backported to 0.27
+ Fixes CVE-2018-6360
+Author: Ricardo Constantino <wiiaboo@gmail.com>
+Bug: https://github.com/mpv-player/mpv/issues/5456
+Bug-Debian: https://bugs.debian.org/888654
+Applied-Upstream: v0.29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -15,6 +15,18 @@ local ytdl = {
+ 
+ local chapter_list = {}
+ 
++function Set (t)
++    local set = {}
++    for _, v in pairs(t) do set[v] = true end
++    return set
++end
++
++local safe_protos = Set {
++    "http", "https", "ftp", "ftps",
++    "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
++    "data"
++}
++
+ local function exec(args)
+     local ret = utils.subprocess({args = args})
+     return ret.status, ret.stdout, ret
+@@ -71,6 +83,15 @@ local function edl_escape(url)
+     return "%" .. string.len(url) .. "%" .. url
+ end
+ 
++local function url_is_safe(url)
++    local proto = type(url) == "string" and url:match("^(.+)://") or nil
++    local safe = proto and safe_protos[proto]
++    if not safe then
++        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++    end
++    return safe
++end
++
+ local function time_to_secs(time_string)
+     local ret
+ 
+@@ -182,6 +203,9 @@ local function edl_track_joined(fragment
+ 
+     for i = offset, #fragments do
+         local fragment = fragments[i]
++        if not url_is_safe(join_url(base, fragment)) then
++            return nil
++        end
+         table.insert(parts, edl_escape(join_url(base, fragment)))
+         if fragment.duration then
+             parts[#parts] =
+@@ -201,6 +225,9 @@ local function add_single_video(json)
+             edl_track = edl_track_joined(track.fragments,
+                 track.protocol, json.is_live,
+                 track.fragment_base_url)
++            if not edl_track and not url_is_safe(track.url) then
++                return
++            end
+             if track.acodec and track.acodec ~= "none" then
+                 -- audio track
+                 mp.commandv("audio-add",
+@@ -217,6 +244,9 @@ local function add_single_video(json)
+         edl_track = edl_track_joined(json.fragments, json.protocol,
+             json.is_live, json.fragment_base_url)
+ 
++        if not edl_track and not url_is_safe(json.url) then
++            return
++        end
+         -- normal video or single track
+         streamurl = edl_track or json.url
+         set_http_headers(json.http_headers)
+@@ -408,6 +438,10 @@ mp.add_hook("on_load", 10, function ()
+ 
+                 msg.debug("EDL: " .. playlist)
+ 
++                if not playlist then
++                    return
++                end
++
+                 -- can't change the http headers for each entry, so use the 1st
+                 if json.entries[1] then
+                     set_http_headers(json.entries[1].http_headers)
+@@ -475,7 +509,9 @@ mp.add_hook("on_load", 10, function ()
+                         site = entry["webpage_url"]
+                     end
+ 
+-                    playlist = playlist .. "ytdl://" .. site .. "\n"
++                    if url_is_safe(site) then
++                        playlist = playlist .. "ytdl://" .. site .. "\n"
++                    end
+                 end
+ 
+                 mp.set_property("stream-open-filename", "memory://" .. playlist)