[PATCH] gnu: mpv: Fix CVE-2018-6360.

DoneSubmitted by Alex Vong.
Details
2 participants
  • Alex Vong
  • Leo Famulari
Owner
unassigned
Severity
normal
A
A
Alex Vong wrote on 7 Feb 2018 07:53
(address . guix-patches@gnu.org)
87tvuts33b.fsf@gmail.com
Tags: security
Hello,
This patch fixes CVE-2018-6360, which is about mpv maybe get trickedinto playing unsafe url returned by youtube-dl.
From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Wed, 7 Feb 2018 14:39:40 +0800Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
* gnu/packages/patches/mpv-CVE-2018-6360-1.patch,gnu/packages/patches/mpv-CVE-2018-6360-2.patch,gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/video.scm (mpv)[source]: Use them.--- gnu/local.mk | 5 +- gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 138 +++++++++++++++++++++++++ gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 59 +++++++++++ gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 84 +++++++++++++++ gnu/packages/video.scm | 5 +- 5 files changed, 289 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-1.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-2.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-3.patch
Toggle diff (347 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex ca400dae6..0d3da924d 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -9,7 +9,7 @@ # Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org> # Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net> # Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>-# Copyright © 2016, 2017 Alex Vong <alexvong1995@gmail.com>+# Copyright © 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com> # Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> # Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org> # Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>@@ -911,6 +911,9 @@ dist_patch_DATA = \ %D%/packages/patches/mhash-keygen-test-segfault.patch \ %D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \ %D%/packages/patches/mpc123-initialize-ao.patch \+ %D%/packages/patches/mpv-CVE-2018-6360-1.patch \+ %D%/packages/patches/mpv-CVE-2018-6360-2.patch \+ %D%/packages/patches/mpv-CVE-2018-6360-3.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \ %D%/packages/patches/mozjs17-aarch64-support.patch \diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patchnew file mode 100644index 000000000..55fc7daaf--- /dev/null+++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch@@ -0,0 +1,138 @@+Fix CVE-2018-6360:++https://github.com/mpv-player/mpv/issues/5456+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360+https://security-tracker.debian.org/tracker/CVE-2018-6360++Patch copied from upstream source repository:++https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43++To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4+checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available+for the 0.28.0 release. So it should be safe to remove hunk #4.++From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001+From: Ricardo Constantino <wiiaboo@gmail.com>+Date: Fri, 26 Jan 2018 01:19:04 +0000+Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from+ youtube-dl++Not very clean since there's a lot of potential unsafe urls that youtube-dl+can give us, depending on whether it's a single url, split tracks,+playlists, segmented dash, etc.+---+ player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------+ 1 file changed, 47 insertions(+), 7 deletions(-)++diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua+index dd96ecc01d..b480c21625 100644+--- a/player/lua/ytdl_hook.lua++++ b/player/lua/ytdl_hook.lua+@@ -16,6 +16,18 @@ local ytdl = {+ + local chapter_list = {}+ ++function Set (t)++ local set = {}++ for _, v in pairs(t) do set[v] = true end++ return set++end++++local safe_protos = Set {++ "http", "https", "ftp", "ftps",++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",++ "data"++}+++ local function exec(args)+ local ret = utils.subprocess({args = args})+ return ret.status, ret.stdout, ret+@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)+ + for i = offset, #fragments do+ local fragment = fragments[i]++ if not url_is_safe(join_url(base, fragment)) then++ return nil++ end+ table.insert(parts, edl_escape(join_url(base, fragment)))+ if fragment.duration then+ parts[#parts] =+@@ -208,6 +223,15 @@ local function proto_is_dash(json)+ or json["protocol"] == "http_dash_segments"+ end+ ++local function url_is_safe(url)++ local proto = type(url) == "string" and url:match("^(.+)://") or nil++ local safe = proto and safe_protos[proto]++ if not safe then++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))++ end++ return safe++end+++ local function add_single_video(json)+ local streamurl = ""+ local max_bitrate = 0+@@ -238,14 +264,18 @@ local function add_single_video(json)+ edl_track = edl_track_joined(track.fragments,+ track.protocol, json.is_live,+ track.fragment_base_url)++ local url = edl_track or track.url++ if not url_is_safe(url) then++ return++ end+ if track.acodec and track.acodec ~= "none" then+ -- audio track+ mp.commandv("audio-add",+- edl_track or track.url, "auto",++ url, "auto",+ track.format_note or "")+ elseif track.vcodec and track.vcodec ~= "none" then+ -- video track+- streamurl = edl_track or track.url++ streamurl = url+ end+ end+ +@@ -264,7 +294,13 @@ local function add_single_video(json)+ + msg.debug("streamurl: " .. streamurl)+ +- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))++ streamurl = streamurl:gsub("^data:", "data://", 1)++++ if not url_is_safe(streamurl) then++ return++ end++++ mp.set_property("stream-open-filename", streamurl)+ + mp.set_property("file-local-options/force-media-title", json.title)+ +@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()+ site = entry["webpage_url"]+ end+ +- if not (site:find("https?://") == 1) then+- site = "ytdl://" .. site++ -- links with only youtube id as returned by --flat-playlist++ if not site:find("://") then++ table.insert(playlist, "ytdl://" .. site)++ elseif url_is_safe(site) then++ table.insert(playlist, site)+ end+- table.insert(playlist, site)+ + end+ +- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))++ if #playlist > 0 then++ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))++ end+ end+ + else -- probably a video+-- +2.16.1+diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patchnew file mode 100644index 000000000..b37e33a64--- /dev/null+++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch@@ -0,0 +1,59 @@+Fix CVE-2018-6360:++https://github.com/mpv-player/mpv/issues/5456+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360+https://security-tracker.debian.org/tracker/CVE-2018-6360++Patch copied from upstream source repository:++https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f++From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001+From: Ricardo Constantino <wiiaboo@gmail.com>+Date: Fri, 26 Jan 2018 11:26:27 +0000+Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code++lua isn't javascript.+---+ player/lua/ytdl_hook.lua | 18 +++++++++---------+ 1 file changed, 9 insertions(+), 9 deletions(-)++diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua+index b480c21625..458c94af38 100644+--- a/player/lua/ytdl_hook.lua++++ b/player/lua/ytdl_hook.lua+@@ -84,6 +84,15 @@ local function edl_escape(url)+ return "%" .. string.len(url) .. "%" .. url+ end+ ++local function url_is_safe(url)++ local proto = type(url) == "string" and url:match("^(.+)://") or nil++ local safe = proto and safe_protos[proto]++ if not safe then++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))++ end++ return safe++end+++ local function time_to_secs(time_string)+ local ret+ +@@ -223,15 +232,6 @@ local function proto_is_dash(json)+ or json["protocol"] == "http_dash_segments"+ end+ +-local function url_is_safe(url)+- local proto = type(url) == "string" and url:match("^(.+)://") or nil+- local safe = proto and safe_protos[proto]+- if not safe then+- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))+- end+- return safe+-end+-+ local function add_single_video(json)+ local streamurl = ""+ local max_bitrate = 0+-- +2.16.1+diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patchnew file mode 100644index 000000000..dc3e272d3--- /dev/null+++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch@@ -0,0 +1,84 @@+Fix CVE-2018-6360:++https://github.com/mpv-player/mpv/issues/5456+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360+https://security-tracker.debian.org/tracker/CVE-2018-6360++Patch copied from upstream source repository:++https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828++From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001+From: Ricardo Constantino <wiiaboo@gmail.com>+Date: Fri, 26 Jan 2018 18:54:17 +0000+Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls++---+ player/lua/ytdl_hook.lua | 22 +++++++++++-----------+ 1 file changed, 11 insertions(+), 11 deletions(-)++diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua+index 458c94af38..6c8e78657d 100644+--- a/player/lua/ytdl_hook.lua++++ b/player/lua/ytdl_hook.lua+@@ -264,18 +264,17 @@ local function add_single_video(json)+ edl_track = edl_track_joined(track.fragments,+ track.protocol, json.is_live,+ track.fragment_base_url)+- local url = edl_track or track.url+- if not url_is_safe(url) then++ if not edl_track and not url_is_safe(track.url) then+ return+ end+ if track.acodec and track.acodec ~= "none" then+ -- audio track+ mp.commandv("audio-add",+- url, "auto",++ edl_track or track.url, "auto",+ track.format_note or "")+ elseif track.vcodec and track.vcodec ~= "none" then+ -- video track+- streamurl = url++ streamurl = edl_track or track.url+ end+ end+ +@@ -284,6 +283,9 @@ local function add_single_video(json)+ edl_track = edl_track_joined(json.fragments, json.protocol,+ json.is_live, json.fragment_base_url)+ ++ if not edl_track and not url_is_safe(json.url) then++ return++ end+ -- normal video or single track+ streamurl = edl_track or json.url+ set_http_headers(json.http_headers)+@@ -294,13 +296,7 @@ local function add_single_video(json)+ + msg.debug("streamurl: " .. streamurl)+ +- streamurl = streamurl:gsub("^data:", "data://", 1)+-+- if not url_is_safe(streamurl) then+- return+- end+-+- mp.set_property("stream-open-filename", streamurl)++ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))+ + mp.set_property("file-local-options/force-media-title", json.title)+ +@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()+ + msg.debug("EDL: " .. playlist)+ ++ if not playlist then++ return++ end+++ -- can't change the http headers for each entry, so use the 1st+ if json.entries[1] then+ set_http_headers(json.entries[1].http_headers)+-- +2.16.1+diff --git a/gnu/packages/video.scm b/gnu/packages/video.scmindex 8cbe590bf..5865713b8 100644--- a/gnu/packages/video.scm+++ b/gnu/packages/video.scm@@ -6,7 +6,7 @@ ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2015 Andy Patterson <ajpatter@uwaterloo.ca> ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>-;;; Copyright © 2015, 2016, 2017 Alex Vong <alexvong1995@gmail.com>+;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com> ;;; Copyright © 2016, 2017 Alex Griffin <a@ajgrf.com> ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net> ;;; Copyright © 2016 Dmitry Nikolaev <cameltheman@gmail.com>@@ -1018,6 +1018,9 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.") (sha256 (base32 "1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f"))+ (patches (search-patches "mpv-CVE-2018-6360-1.patch"+ "mpv-CVE-2018-6360-2.patch"+ "mpv-CVE-2018-6360-3.patch")) (file-name (string-append name "-" version ".tar.gz")))) (build-system waf-build-system) (native-inputs-- 2.16.1
Cheers,Alex
A
A
Alex Vong wrote on 7 Feb 2018 07:59
(address . 30378@debbugs.gnu.org)
87po5hs2sz.fsf@gmail.com
BTW, I forget to mention that I remove hunk #4 from the first patchsince it checks if 'mpd_url' is safe, but the feature of 'mpd_url' isnot available in the 0.28.0 release yet. So I think it should be fine.
L
L
Leo Famulari wrote on 8 Feb 2018 03:44
Re: [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30378@debbugs.gnu.org)
20180208024417.GB16980@jasmine.lan
On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
Toggle quote (18 lines)> Tags: security> > Hello,> > This patch fixes CVE-2018-6360, which is about mpv maybe get tricked> into playing unsafe url returned by youtube-dl.
> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001> From: Alex Vong <alexvong1995@gmail.com>> Date: Wed, 7 Feb 2018 14:39:40 +0800> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.> > * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.> * gnu/local.mk (dist_patch_DATA): Add them.> * gnu/packages/video.scm (mpv)[source]: Use them.
Thank you very much for putting this patch together!
I noticed that the person who fixed the bug upstream said that 4 commitswere needed [0], but this patch (and Debian's and Nix's) are missing thefirst in that person's list, 828bd2963cd10.
I'm going to ask upstream to clarify but, in the meantime, do you knowwhy this patch is not included?
[0]https://github.com/mpv-player/mpv/issues/5456#issuecomment-362442132
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp7uYEACgkQJkb6MLrKfwjJOw/9HtL/FoCGUZrS1SCvKWUBaIn/JpBBdWuiqrmeTOQRvE3U49a6EQb1Vx2FrfnmKi8uSJCXSAvJCe9hRVYDWMFrZeRT2tW7rHeEp5vUpNYx/8Cv+5lJnTuP1rBg5f9rdKezViMJdkszdXg4VjNInQ9TsEMG21pC8Yy4JqgxyD0Z1T8plbXX0mojdKVCkYi0QqhxosZF2r0XI0NWb8TXl0zvOX6+MNs62iOYAEwXycEXP2hxloZzilOAlI0NrQSRFsdZUv2kHyc5b4545v6myJcnUjEaDcvTNo20CZRujGQrCoSfid9aA41XtGJsTN44DdNpl8xQzbAHZLKIjbTWlmUpr5moW80W5NWubnDC7rmmE8XsbbcYPOTTdPCrqQUMQo4RdYokfF32FXz9EJ2cjQ6DO+d4zYPi0C3k6rGDBOPBTKGGoQd/7Divw9PVOwFRk1jdRCCa2N71LGdgGx2OMCTBkhG/PGhVW/7cRxJGd+KJRzPDqPVa/Alubqu7f7d1ydJO5jFSzPSqwuf3kleJSBcAqXYsVNsr06NjjLJvPGbIiDZmUrgoYQ3UKSe7pcew57HkJGbz2tjKnBuzYBE+x/Z2aaZTiP9uNTsXZILkdxVA+yZRKNOJu+ntZ+ybpOkuWu4umuxexaWhVIvFup42mnUL2r9W1nokZD3AY+cMq5ViZEg==GzhW-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 8 Feb 2018 06:53
(name . Leo Famulari)(address . leo@famulari.name)(address . 30378@debbugs.gnu.org)
87mv0kqb67.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:
Toggle quote (21 lines)> On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:>> Tags: security>> >> Hello,>> >> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked>> into playing unsafe url returned by youtube-dl.>>> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001>> From: Alex Vong <alexvong1995@gmail.com>>> Date: Wed, 7 Feb 2018 14:39:40 +0800>> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.>> >> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,>> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,>> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.>> * gnu/local.mk (dist_patch_DATA): Add them.>> * gnu/packages/video.scm (mpv)[source]: Use them.>> Thank you very much for putting this patch together!>
:-)
Toggle quote (7 lines)> I noticed that the person who fixed the bug upstream said that 4 commits> were needed [0], but this patch (and Debian's and Nix's) are missing the> first in that person's list, 828bd2963cd10.>> I'm going to ask upstream to clarify but, in the meantime, do you know> why this patch is not included?>
I have no idea about this. I think we should wait for the author to tellus what they think. Here is a new patch with the 4 commits:
From 6891f7c24fdd90953454c8fdf68baade394eb9ba Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Wed, 7 Feb 2018 14:39:40 +0800Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
* gnu/packages/patches/mpv-CVE-2018-6360-1.patch,gnu/packages/patches/mpv-CVE-2018-6360-2.patch,gnu/packages/patches/mpv-CVE-2018-6360-3.patch,gnu/packages/patches/mpv-CVE-2018-6360-4.patch: New files.* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/video.scm (mpv)[source]: Use them.--- gnu/local.mk | 6 +- gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 133 ++++++++++++++++++++++++ gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 138 +++++++++++++++++++++++++ gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 59 +++++++++++ gnu/packages/patches/mpv-CVE-2018-6360-4.patch | 84 +++++++++++++++ gnu/packages/video.scm | 6 +- 6 files changed, 424 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-1.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-2.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-3.patch create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-4.patch
Toggle diff (488 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 3f0023a2f..b0b4ca482 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -9,7 +9,7 @@ # Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org> # Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net> # Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>-# Copyright © 2016, 2017 Alex Vong <alexvong1995@gmail.com>+# Copyright © 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com> # Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> # Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org> # Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>@@ -910,6 +910,10 @@ dist_patch_DATA = \ %D%/packages/patches/mhash-keygen-test-segfault.patch \ %D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \ %D%/packages/patches/mpc123-initialize-ao.patch \+ %D%/packages/patches/mpv-CVE-2018-6360-1.patch \+ %D%/packages/patches/mpv-CVE-2018-6360-2.patch \+ %D%/packages/patches/mpv-CVE-2018-6360-3.patch \+ %D%/packages/patches/mpv-CVE-2018-6360-4.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \ %D%/packages/patches/mozjs17-aarch64-support.patch \diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patchnew file mode 100644index 000000000..4d48da667--- /dev/null+++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch@@ -0,0 +1,133 @@+Fix CVE-2018-6360:++https://github.com/mpv-player/mpv/issues/5456+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360+https://security-tracker.debian.org/tracker/CVE-2018-6360++Patch copied from upstream source repository:++https://github.com/mpv-player/mpv/commit/828bd2963cd10a851e0a977809687aed4d377dc3++From 828bd2963cd10a851e0a977809687aed4d377dc3 Mon Sep 17 00:00:00 2001+From: Ricardo Constantino <wiiaboo@gmail.com>+Date: Tue, 2 Jan 2018 20:46:58 +0000+Subject: [PATCH] command: add demuxer-lavf-list property++Was only available with --demuxer-lavf-format=help and the demuxer+needed to be used for it to actually print the list.++This can be used in the future to check if 'dash' support was compiled+with FFmpeg so ytdl_hook can use it instead. For now, dashdec is too+rudimentary to be used right away.+---+ DOCS/man/input.rst | 4 +++++ common/av_common.c | 17 ++++++++++++++++++ common/av_common.h | 1 ++ player/command.c | 15 ++++++++++++++++ 4 files changed, 37 insertions(+)++diff --git a/DOCS/man/input.rst b/DOCS/man/input.rst+index 16d8ecb45d..0ae4a0c0c8 100644+--- a/DOCS/man/input.rst++++ b/DOCS/man/input.rst+@@ -2119,6 +2119,10 @@ Property list+ The encoder names (``driver`` entries) can be passed to ``--ovc`` and+ ``--oac`` (without the ``lavc:`` prefix required by ``--vd`` and ``--ad``).+ ++``demuxer-lavf-list``++ List of available libavformat demuxers' names. This can be used to check++ for support for a specific format or use with ``--demuxer-lavf-format``.+++ ``mpv-version``+ Return the mpv version/copyright string. Depending on how the binary was+ built, it might contain either a release version, or just a git hash.+diff --git a/common/av_common.c b/common/av_common.c+index 65a212b994..0599d98465 100644+--- a/common/av_common.c++++ b/common/av_common.c+@@ -26,6 +26,7 @@+ #include <libavutil/error.h>+ #include <libavutil/cpu.h>+ #include <libavcodec/avcodec.h>++#include <libavformat/avformat.h>+ + #include "config.h"+ +@@ -33,6 +34,7 @@+ #include "common/msg.h"+ #include "demux/packet.h"+ #include "demux/stheader.h"++#include "misc/bstr.h"+ #include "video/fmt-conversion.h"+ #include "av_common.h"+ #include "codecs.h"+@@ -246,6 +248,21 @@ void mp_add_lavc_encoders(struct mp_decoder_list *list)+ }+ }+ ++char **mp_get_lavf_demuxers(void)++{++ char **list = NULL;++ AVInputFormat *cur = NULL;++ int num = 0;++ for (;;) {++ cur = av_iformat_next(cur);++ if (!cur)++ break;++ MP_TARRAY_APPEND(NULL, list, num, talloc_strdup(NULL, cur->name));++ }++ MP_TARRAY_APPEND(NULL, list, num, NULL);++ return list;++}+++ int mp_codec_to_av_codec_id(const char *codec)+ {+ int id = AV_CODEC_ID_NONE;+diff --git a/common/av_common.h b/common/av_common.h+index 6d0c823b8d..0e7c838884 100644+--- a/common/av_common.h++++ b/common/av_common.h+@@ -41,6 +41,7 @@ double mp_pts_from_av(int64_t av_pts, AVRational *tb);+ void mp_set_avcodec_threads(struct mp_log *l, AVCodecContext *avctx, int threads);+ void mp_add_lavc_decoders(struct mp_decoder_list *list, enum AVMediaType type);+ void mp_add_lavc_encoders(struct mp_decoder_list *list);++char **mp_get_lavf_demuxers(void);+ int mp_codec_to_av_codec_id(const char *codec);+ const char *mp_codec_from_av_codec_id(int codec_id);+ void mp_set_avdict(struct AVDictionary **dict, char **kv);+diff --git a/player/command.c b/player/command.c+index 6f2c15b047..412afc5e11 100644+--- a/player/command.c++++ b/player/command.c+@@ -3588,6 +3588,20 @@ static int mp_property_encoders(void *ctx, struct m_property *prop,+ return r;+ }+ ++static int mp_property_lavf_demuxers(void *ctx, struct m_property *prop,++ int action, void *arg)++{++ switch (action) {++ case M_PROPERTY_GET:++ *(char ***)arg = mp_get_lavf_demuxers();++ return M_PROPERTY_OK;++ case M_PROPERTY_GET_TYPE:++ *(struct m_option *)arg = (struct m_option){.type = CONF_TYPE_STRING_LIST};++ return M_PROPERTY_OK;++ }++ return M_PROPERTY_NOT_IMPLEMENTED;++}+++ static int mp_property_version(void *ctx, struct m_property *prop,+ int action, void *arg)+ {+@@ -4027,6 +4041,7 @@ static const struct m_property mp_properties_base[] = {+ {"protocol-list", mp_property_protocols},+ {"decoder-list", mp_property_decoders},+ {"encoder-list", mp_property_encoders},++ {"demuxer-lavf-list", mp_property_lavf_demuxers},+ + {"mpv-version", mp_property_version},+ {"mpv-configuration", mp_property_configuration},+-- +2.16.1+diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patchnew file mode 100644index 000000000..55fc7daaf--- /dev/null+++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch@@ -0,0 +1,138 @@+Fix CVE-2018-6360:++https://github.com/mpv-player/mpv/issues/5456+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360+https://security-tracker.debian.org/tracker/CVE-2018-6360++Patch copied from upstream source repository:++https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43++To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4+checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available+for the 0.28.0 release. So it should be safe to remove hunk #4.++From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001+From: Ricardo Constantino <wiiaboo@gmail.com>+Date: Fri, 26 Jan 2018 01:19:04 +0000+Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from+ youtube-dl++Not very clean since there's a lot of potential unsafe urls that youtube-dl+can give us, depending on whether it's a single url, split tracks,+playlists, segmented dash, etc.+---+ player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------+ 1 file changed, 47 insertions(+), 7 deletions(-)++diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua+index dd96ecc01d..b480c21625 100644+--- a/player/lua/ytdl_hook.lua++++ b/player/lua/ytdl_hook.lua+@@ -16,6 +16,18 @@ local ytdl = {+ + local chapter_list = {}+ ++function Set (t)++ local set = {}++ for _, v in pairs(t) do set[v] = true end++ return set++end++++local safe_protos = Set {++ "http", "https", "ftp", "ftps",++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",++ "data"++}+++ local function exec(args)+ local ret = utils.subprocess({args = args})+ return ret.status, ret.stdout, ret+@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)+ + for i = offset, #fragments do+ local fragment = fragments[i]++ if not url_is_safe(join_url(base, fragment)) then++ return nil++ end+ table.insert(parts, edl_escape(join_url(base, fragment)))+ if fragment.duration then+ parts[#parts] =+@@ -208,6 +223,15 @@ local function proto_is_dash(json)+ or json["protocol"] == "http_dash_segments"+ end+ ++local function url_is_safe(url)++ local proto = type(url) == "string" and url:match("^(.+)://") or nil++ local safe = proto and safe_protos[proto]++ if not safe then++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))++ end++ return safe++end+++ local function add_single_video(json)+ local streamurl = ""+ local max_bitrate = 0+@@ -238,14 +264,18 @@ local function add_single_video(json)+ edl_track = edl_track_joined(track.fragments,+ track.protocol, json.is_live,+ track.fragment_base_url)++ local url = edl_track or track.url++ if not url_is_safe(url) then++ return++ end+ if track.acodec and track.acodec ~= "none" then+ -- audio track+ mp.commandv("audio-add",+- edl_track or track.url, "auto",++ url, "auto",+ track.format_note or "")+ elseif track.vcodec and track.vcodec ~= "none" then+ -- video track+- streamurl = edl_track or track.url++ streamurl = url+ end+ end+ +@@ -264,7 +294,13 @@ local function add_single_video(json)+ + msg.debug("streamurl: " .. streamurl)+ +- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))++ streamurl = streamurl:gsub("^data:", "data://", 1)++++ if not url_is_safe(streamurl) then++ return++ end++++ mp.set_property("stream-open-filename", streamurl)+ + mp.set_property("file-local-options/force-media-title", json.title)+ +@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()+ site = entry["webpage_url"]+ end+ +- if not (site:find("https?://") == 1) then+- site = "ytdl://" .. site++ -- links with only youtube id as returned by --flat-playlist++ if not site:find("://") then++ table.insert(playlist, "ytdl://" .. site)++ elseif url_is_safe(site) then++ table.insert(playlist, site)+ end+- table.insert(playlist, site)+ + end+ +- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))++ if #playlist > 0 then++ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))++ end+ end+ + else -- probably a video+-- +2.16.1+diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patchnew file mode 100644index 000000000..b37e33a64--- /dev/null+++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch@@ -0,0 +1,59 @@+Fix CVE-2018-6360:++https://github.com/mpv-player/mpv/issues/5456+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360+https://security-tracker.debian.org/tracker/CVE-2018-6360++Patch copied from upstream source repository:++https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f++From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001+From: Ricardo Constantino <wiiaboo@gmail.com>+Date: Fri, 26 Jan 2018 11:26:27 +0000+Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code++lua isn't javascript.+---+ player/lua/ytdl_hook.lua | 18 +++++++++---------+ 1 file changed, 9 insertions(+), 9 deletions(-)++diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua+index b480c21625..458c94af38 100644+--- a/player/lua/ytdl_hook.lua++++ b/player/lua/ytdl_hook.lua+@@ -84,6 +84,15 @@ local function edl_escape(url)+ return "%" .. string.len(url) .. "%" .. url+ end+ ++local function url_is_safe(url)++ local proto = type(url) == "string" and url:match("^(.+)://") or nil++ local safe = proto and safe_protos[proto]++ if not safe then++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))++ end++ return safe++end+++ local function time_to_secs(time_string)+ local ret+ +@@ -223,15 +232,6 @@ local function proto_is_dash(json)+ or json["protocol"] == "http_dash_segments"+ end+ +-local function url_is_safe(url)+- local proto = type(url) == "string" and url:match("^(.+)://") or nil+- local safe = proto and safe_protos[proto]+- if not safe then+- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))+- end+- return safe+-end+-+ local function add_single_video(json)+ local streamurl = ""+ local max_bitrate = 0+-- +2.16.1+diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-4.patch b/gnu/packages/patches/mpv-CVE-2018-6360-4.patchnew file mode 100644index 000000000..dc3e272d3--- /dev/null+++ b/gnu/packages/patches/mpv-CVE-2018-6360-4.patch@@ -0,0 +1,84 @@+Fix CVE-2018-6360:++https://github.com/mpv-player/mpv/issues/5456+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360+https://security-tracker.debian.org/tracker/CVE-2018-6360++Patch copied from upstream source repository:++https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828++From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001+From: Ricardo Constantino <wiiaboo@gmail.com>+Date: Fri, 26 Jan 2018 18:54:17 +0000+Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls++---+ player/lua/ytdl_hook.lua | 22 +++++++++++-----------+ 1 file changed, 11 insertions(+), 11 deletions(-)++diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua+index 458c94af38..6c8e78657d 100644+--- a/player/lua/ytdl_hook.lua++++ b/player/lua/ytdl_hook.lua+@@ -264,18 +264,17 @@ local function add_single_video(json)+ edl_track = edl_track_joined(track.fragments,+ track.protocol, json.is_live,+ track.fragment_base_url)+- local url = edl_track or track.url+- if not url_is_safe(url) then++ if not edl_track and not url_is_safe(track.url) then+ return+ end+ if track.acodec and track.acodec ~= "none" then+ -- audio track+ mp.commandv("audio-add",+- url, "auto",++ edl_track or track.url, "auto",+ track.format_note or "")+ elseif track.vcodec and track.vcodec ~= "none" then+ -- video track+- streamurl = url++ streamurl = edl_track or track.url+ end+ end+ +@@ -284,6 +283,9 @@ local function add_single_video(json)+ edl_track = edl_track_joined(json.fragments, json.protocol,+ json.is_live, json.fragment_base_url)+ ++ if not edl_track and not url_is_safe(json.url) then++ return++ end+ -- normal video or single track+ streamurl = edl_track or json.url+ set_http_headers(json.http_headers)+@@ -294,13 +296,7 @@ local function add_single_video(json)+ + msg.debug("streamurl: " .. streamurl)+ +- streamurl = streamurl:gsub("^data:", "data://", 1)+-+- if not url_is_safe(streamurl) then+- return+- end+-+- mp.set_property("stream-open-filename", streamurl)++ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))+ + mp.set_property("file-local-options/force-media-title", json.title)+ +@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()+ + msg.debug("EDL: " .. playlist)+ ++ if not playlist then++ return++ end+++ -- can't change the http headers for each entry, so use the 1st+ if json.entries[1] then+ set_http_headers(json.entries[1].http_headers)+-- +2.16.1+diff --git a/gnu/packages/video.scm b/gnu/packages/video.scmindex 8cbe590bf..8c0743745 100644--- a/gnu/packages/video.scm+++ b/gnu/packages/video.scm@@ -6,7 +6,7 @@ ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2015 Andy Patterson <ajpatter@uwaterloo.ca> ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>-;;; Copyright © 2015, 2016, 2017 Alex Vong <alexvong1995@gmail.com>+;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com> ;;; Copyright © 2016, 2017 Alex Griffin <a@ajgrf.com> ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net> ;;; Copyright © 2016 Dmitry Nikolaev <cameltheman@gmail.com>@@ -1018,6 +1018,10 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.") (sha256 (base32 "1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f"))+ (patches (search-patches "mpv-CVE-2018-6360-1.patch"+ "mpv-CVE-2018-6360-2.patch"+ "mpv-CVE-2018-6360-3.patch"+ "mpv-CVE-2018-6360-4.patch")) (file-name (string-append name "-" version ".tar.gz")))) (build-system waf-build-system) (native-inputs-- 2.16.1
Toggle quote (2 lines)> [0]> https://github.com/mpv-player/mpv/issues/5456#issuecomment-362442132
L
L
Leo Famulari wrote on 8 Feb 2018 20:16
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30378@debbugs.gnu.org)
20180208191606.GA21732@jasmine.lan
On Thu, Feb 08, 2018 at 01:53:52PM +0800, Alex Vong wrote:
Toggle quote (11 lines)> Leo Famulari <leo@famulari.name> writes:> > I noticed that the person who fixed the bug upstream said that 4 commits> > were needed [0], but this patch (and Debian's and Nix's) are missing the> > first in that person's list, 828bd2963cd10.> >> > I'm going to ask upstream to clarify but, in the meantime, do you know> > why this patch is not included?> >> I have no idea about this. I think we should wait for the author to tell> us what they think. Here is a new patch with the 4 commits:
Upstream clarified that the "missing" commit is not actually necessaryhere:
"Yeah, nevermind. Being able to use the native dash demuxer is notnecessary for the security fixes."
https://github.com/mpv-player/mpv/issues/5456#issuecomment-364087205
So I'm going to test and push your original patch shortly.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp8oe8ACgkQJkb6MLrKfwgr3hAAwBBhmRigw/flKfzCjQdnr4xUPye02XE33QdVHaMbsjjTk3Q4lzoAOlFb7jJBxsDrBnr3GxEP1QIJoxBmGvcRAQYn70gI4OjdPWDZeAC7ttNVTKyUvuUcMKWpbHW2VAq42kstOBa8GxMwS2HhrrLEAkOvJQcOZOjiR3OqcDiOqFPUIaCSojCCKlyq4BMo1tp+IpGfIWpICQHuKQbrZi/MYZR5GDdQqNgn8ulQ6kbQSIt8e4+ALTtJfBOPwSBfwN3CsYKVkhhG+K/frznWlrZ9i82a3aXbNK7Aikm/yUY8cCVZyX68fxeSJvLkeVZYFnAhLkkaNM9ksLr4Mj8pZBfLqUJZHJYm34hU8KiFvxkglHrkNY/0ukBSwIek9+VcAETM4+5Hebxz/1dJWXM0wKAO9WlxjL5mjqWPx0ccNj+7+c9KUVMjPI0iNDWr5a94CyvwOb07ESKYQZ4Kt+QkjBe6ku0ruq4yzSux06hsxj8Br1qZbnjH3NsT2MCFar+Sjc8TvrbOR4SbKWaaPaKndCYu/HqIGzfjG8FxVwQ/1Xs3ZiXASzoiea0lNAhJxzu+ygwE/dtL+hGSsm291siAZ65XH5bxAyPmt1U4MxsjoRB9LDf5Kr/A8ok83mcd0ooNv51jp2GPlhtcpG1qpquuK6+aA7LlhPU+VHUoeTKuthqtnfM==OGJH-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 8 Feb 2018 21:19
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30378-done@debbugs.gnu.org)
20180208201903.GB21732@jasmine.lan
On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
Toggle quote (19 lines)> Tags: security> > Hello,> > This patch fixes CVE-2018-6360, which is about mpv maybe get tricked> into playing unsafe url returned by youtube-dl.>
> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001> From: Alex Vong <alexvong1995@gmail.com>> Date: Wed, 7 Feb 2018 14:39:40 +0800> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.> > * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.> * gnu/local.mk (dist_patch_DATA): Add them.> * gnu/packages/video.scm (mpv)[source]: Use them.
Pushed as e61da2e8848782052d6d5d69f111520a7f772e52
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp8sLcACgkQJkb6MLrKfwhRXQ//RaZVFtezmFT35SVxD+ScOa1++LBgSvj6m9hMMqELXb4pk6DOmVfgmNJY922DbT5tF089EdaMiKCcIV2uHSqu7D3R0EL1/IhEmMcGD+VHt93w6EmRbjzqqe9YSxYNVOt3C7j18DO/29z79vlhKv4LaYlN+XIwZPu59o7rsPUrA+LNPcg/m6jgPDZAzyZKQKL+ewUYGdbfTdQcz2yh4RWbk3QmYtu9sdd5iBxy5JF45INMILBQJhRzUOxmZUKU4opK0DNwVZtfXSHgKC79JLeJnDWpLKW8mQYu84p7wB84JmkOfAEHWyO+ecUPr5x44NWvPNPdHvfKFtUJXAHQxMn+ZxEZ4qAtYeMM2eYEbCMIS3JeM044H1LaYUvCm8jLkc9bMQsOMaZC5lNuzus3DdlMwgQfdrByxqrcT57N4/CNljedViwIt4taRcuab5iZnMfoY35DmDRr5lxBdGM0Q+Yj5de+TEdVBYIugiGdRm4St1a878+mCbMuu/5eRS267JjiZKLr6Q2zm/4g0xR1mnJYT/Ros+jHrtraCcutR7i+o4IRoWuXfQRNPKhgmcPmZzjispTe+t/jwoK0zQPtznPscJdP3dEFqFyxbehaKf3Gbmw8HDOpHu/9+zHpLaDXj/C6Kf1cIMCTPMfC5ryyDRiXNtmQ8Qiw/72aDxBUUEvhvaA==5Our-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 30378@debbugs.gnu.org