diff options
| author | dai9ah <dai9ah@protonmail.com> | 2018-02-15 03:08:15 +0200 |
|---|---|---|
| committer | Sören Tempel <soeren+git@soeren-tempel.net> | 2018-02-15 18:48:56 +0100 |
| commit | f9bcb53b49bde7e80cb2737774878772a9182402 (patch) | |
| tree | daaf6907ed015a21e708a5e7ab36c4f7ac59d56e /community/mpv | |
| parent | 6fa471b201aa768be71e21b66cda04fceaee490b (diff) | |
| download | aports-f9bcb53b49bde7e80cb2737774878772a9182402.tar.bz2 aports-f9bcb53b49bde7e80cb2737774878772a9182402.tar.xz | |
community/mpv: upgrade to 0.27.2
Diffstat (limited to 'community/mpv')
| -rw-r--r-- | community/mpv/APKBUILD | 10 | ||||
| -rw-r--r-- | community/mpv/CVE-2018-6360.patch | 105 |
2 files changed, 4 insertions, 111 deletions
diff --git a/community/mpv/APKBUILD b/community/mpv/APKBUILD index 8c18ef34dc..3ab55d322b 100644 --- a/community/mpv/APKBUILD +++ b/community/mpv/APKBUILD @@ -4,8 +4,8 @@ # Contributor: Jakub Skrzypnik <j.skrzypnik@openmailbox.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mpv -pkgver=0.27.0 -pkgrel=3 +pkgver=0.27.2 +pkgrel=0 pkgdesc="Video player based on MPlayer/mplayer2" url="https://mpv.io/" arch="all" @@ -21,7 +21,6 @@ subpackages=" $pkgname-zsh-completion:zshcomp:noarch" source="$pkgname-$pkgver.tar.gz::https://github.com/mpv-player/$pkgname/archive/v$pkgver.tar.gz fix-libva2.patch - CVE-2018-6360.patch " builddir="$srcdir/$pkgname-$pkgver" @@ -74,6 +73,5 @@ zshcomp() { "$subpkgdir/usr/share/zsh/site-functions" } -sha512sums="22738f907d84d362095773972f685e3b03ab4c8172a22ddede290fc221a83ab9135b96f8b18191dabe842b2963f68983929cf065097287fc1a054a7d5f1d0ae4 mpv-0.27.0.tar.gz -43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84 fix-libva2.patch -59418020e66b48d27e8822fe2ccab9bb61a2a8fe0becb4bcadd8580f58785ab1d568f62af0edda43e3dab7ed76bb607ce6e6ced64cd2bda5fc2c346c1a0d9f13 CVE-2018-6360.patch" +sha512sums="bf74a150b3732b8c233362e0902c54f85fbea9ca1765a2a8f946a6eecd9b37a72ede36a36d0dd98a770539c4f81fe24c8ce26be9db7cd6eddd8514a8f82d9cda mpv-0.27.2.tar.gz +43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84 fix-libva2.patch" diff --git a/community/mpv/CVE-2018-6360.patch b/community/mpv/CVE-2018-6360.patch deleted file mode 100644 index c5c4f54f40..0000000000 --- a/community/mpv/CVE-2018-6360.patch +++ /dev/null @@ -1,105 +0,0 @@ -Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl - This patch is a combination of these upstream commits: - - e6e6b0dcc7e9 ("ytdl_hook: whitelist protocols from urls retrieved from - youtube-dl") - - f8263e82cc74 ("ytdl_hook: move url_is_safe earlier in code") - - ce42a965330d ("ytdl_hook: fix safe url checking with EDL urls") - . - jcowgill: backported to 0.27 - Fixes CVE-2018-6360 -Author: Ricardo Constantino <wiiaboo@gmail.com> -Bug: https://github.com/mpv-player/mpv/issues/5456 -Bug-Debian: https://bugs.debian.org/888654 -Applied-Upstream: v0.29 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ - ---- a/player/lua/ytdl_hook.lua -+++ b/player/lua/ytdl_hook.lua -@@ -15,6 +15,18 @@ local ytdl = { - - local chapter_list = {} - -+function Set (t) -+ local set = {} -+ for _, v in pairs(t) do set[v] = true end -+ return set -+end -+ -+local safe_protos = Set { -+ "http", "https", "ftp", "ftps", -+ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte", -+ "data" -+} -+ - local function exec(args) - local ret = utils.subprocess({args = args}) - return ret.status, ret.stdout, ret -@@ -71,6 +83,15 @@ local function edl_escape(url) - return "%" .. string.len(url) .. "%" .. url - end - -+local function url_is_safe(url) -+ local proto = type(url) == "string" and url:match("^(.+)://") or nil -+ local safe = proto and safe_protos[proto] -+ if not safe then -+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) -+ end -+ return safe -+end -+ - local function time_to_secs(time_string) - local ret - -@@ -182,6 +203,9 @@ local function edl_track_joined(fragment - - for i = offset, #fragments do - local fragment = fragments[i] -+ if not url_is_safe(join_url(base, fragment)) then -+ return nil -+ end - table.insert(parts, edl_escape(join_url(base, fragment))) - if fragment.duration then - parts[#parts] = -@@ -201,6 +225,9 @@ local function add_single_video(json) - edl_track = edl_track_joined(track.fragments, - track.protocol, json.is_live, - track.fragment_base_url) -+ if not edl_track and not url_is_safe(track.url) then -+ return -+ end - if track.acodec and track.acodec ~= "none" then - -- audio track - mp.commandv("audio-add", -@@ -217,6 +244,9 @@ local function add_single_video(json) - edl_track = edl_track_joined(json.fragments, json.protocol, - json.is_live, json.fragment_base_url) - -+ if not edl_track and not url_is_safe(json.url) then -+ return -+ end - -- normal video or single track - streamurl = edl_track or json.url - set_http_headers(json.http_headers) -@@ -408,6 +438,10 @@ mp.add_hook("on_load", 10, function () - - msg.debug("EDL: " .. playlist) - -+ if not playlist then -+ return -+ end -+ - -- can't change the http headers for each entry, so use the 1st - if json.entries[1] then - set_http_headers(json.entries[1].http_headers) -@@ -475,7 +509,9 @@ mp.add_hook("on_load", 10, function () - site = entry["webpage_url"] - end - -- playlist = playlist .. "ytdl://" .. site .. "\n" -+ if url_is_safe(site) then -+ playlist = playlist .. "ytdl://" .. site .. "\n" -+ end - end - - mp.set_property("stream-open-filename", "memory://" .. playlist) |