[PATCH] gnu: mpv: Fix CVE-2018-6360.

  • Done
  • quality assurance status badge
Details
2 participants
  • Alex Vong
  • Leo Famulari
Owner
unassigned
Submitted by
Alex Vong
Severity
normal
A
A
Alex Vong wrote on 7 Feb 2018 07:53
(address . guix-patches@gnu.org)
87tvuts33b.fsf@gmail.com
Tags: security

Hello,

This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
into playing unsafe url returned by youtube-dl.
Attachment: 0001-gnu-mpv-Fix-CVE-2018-6360.patch
Cheers,
Alex
A
A
Alex Vong wrote on 7 Feb 2018 07:59
(address . 30378@debbugs.gnu.org)
87po5hs2sz.fsf@gmail.com
BTW, I forget to mention that I remove hunk #4 from the first patch
since it checks if 'mpd_url' is safe, but the feature of 'mpd_url' is
not available in the 0.28.0 release yet. So I think it should be fine.
L
L
Leo Famulari wrote on 8 Feb 2018 03:44
Re: [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30378@debbugs.gnu.org)
20180208024417.GB16980@jasmine.lan
On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
Toggle quote (18 lines)
> Tags: security
>
> Hello,
>
> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
> into playing unsafe url returned by youtube-dl.

> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 7 Feb 2018 14:39:40 +0800
> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
>
> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/video.scm (mpv)[source]: Use them.

Thank you very much for putting this patch together!

I noticed that the person who fixed the bug upstream said that 4 commits
were needed [0], but this patch (and Debian's and Nix's) are missing the
first in that person's list, 828bd2963cd10.

I'm going to ask upstream to clarify but, in the meantime, do you know
why this patch is not included?

[0]
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp7uYEACgkQJkb6MLrK
fwjJOw/9HtL/FoCGUZrS1SCvKWUBaIn/JpBBdWuiqrmeTOQRvE3U49a6EQb1Vx2F
rfnmKi8uSJCXSAvJCe9hRVYDWMFrZeRT2tW7rHeEp5vUpNYx/8Cv+5lJnTuP1rBg
5f9rdKezViMJdkszdXg4VjNInQ9TsEMG21pC8Yy4JqgxyD0Z1T8plbXX0mojdKVC
kYi0QqhxosZF2r0XI0NWb8TXl0zvOX6+MNs62iOYAEwXycEXP2hxloZzilOAlI0N
rQSRFsdZUv2kHyc5b4545v6myJcnUjEaDcvTNo20CZRujGQrCoSfid9aA41XtGJs
TN44DdNpl8xQzbAHZLKIjbTWlmUpr5moW80W5NWubnDC7rmmE8XsbbcYPOTTdPCr
qQUMQo4RdYokfF32FXz9EJ2cjQ6DO+d4zYPi0C3k6rGDBOPBTKGGoQd/7Divw9PV
OwFRk1jdRCCa2N71LGdgGx2OMCTBkhG/PGhVW/7cRxJGd+KJRzPDqPVa/Alubqu7
f7d1ydJO5jFSzPSqwuf3kleJSBcAqXYsVNsr06NjjLJvPGbIiDZmUrgoYQ3UKSe7
pcew57HkJGbz2tjKnBuzYBE+x/Z2aaZTiP9uNTsXZILkdxVA+yZRKNOJu+ntZ+yb
pOkuWu4umuxexaWhVIvFup42mnUL2r9W1nokZD3AY+cMq5ViZEg=
=GzhW
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 8 Feb 2018 06:53
(name . Leo Famulari)(address . leo@famulari.name)(address . 30378@debbugs.gnu.org)
87mv0kqb67.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (21 lines)
> On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
>> Tags: security
>>
>> Hello,
>>
>> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
>> into playing unsafe url returned by youtube-dl.
>
>> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Wed, 7 Feb 2018 14:39:40 +0800
>> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
>>
>> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
>> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
>> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/video.scm (mpv)[source]: Use them.
>
> Thank you very much for putting this patch together!
>
:-)

Toggle quote (7 lines)
> I noticed that the person who fixed the bug upstream said that 4 commits
> were needed [0], but this patch (and Debian's and Nix's) are missing the
> first in that person's list, 828bd2963cd10.
>
> I'm going to ask upstream to clarify but, in the meantime, do you know
> why this patch is not included?
>
I have no idea about this. I think we should wait for the author to tell
us what they think. Here is a new patch with the 4 commits:
Attachment: 0001-gnu-mpv-Fix-CVE-2018-6360.patch
Toggle quote (2 lines)
> [0]
> https://github.com/mpv-player/mpv/issues/5456#issuecomment-362442132
L
L
Leo Famulari wrote on 8 Feb 2018 20:16
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30378@debbugs.gnu.org)
20180208191606.GA21732@jasmine.lan
On Thu, Feb 08, 2018 at 01:53:52PM +0800, Alex Vong wrote:
Toggle quote (11 lines)
> Leo Famulari <leo@famulari.name> writes:
> > I noticed that the person who fixed the bug upstream said that 4 commits
> > were needed [0], but this patch (and Debian's and Nix's) are missing the
> > first in that person's list, 828bd2963cd10.
> >
> > I'm going to ask upstream to clarify but, in the meantime, do you know
> > why this patch is not included?
> >
> I have no idea about this. I think we should wait for the author to tell
> us what they think. Here is a new patch with the 4 commits:

Upstream clarified that the "missing" commit is not actually necessary
here:

"Yeah, nevermind. Being able to use the native dash demuxer is not
necessary for the security fixes."


So I'm going to test and push your original patch shortly.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp8oe8ACgkQJkb6MLrK
fwgr3hAAwBBhmRigw/flKfzCjQdnr4xUPye02XE33QdVHaMbsjjTk3Q4lzoAOlFb
7jJBxsDrBnr3GxEP1QIJoxBmGvcRAQYn70gI4OjdPWDZeAC7ttNVTKyUvuUcMKWp
bHW2VAq42kstOBa8GxMwS2HhrrLEAkOvJQcOZOjiR3OqcDiOqFPUIaCSojCCKlyq
4BMo1tp+IpGfIWpICQHuKQbrZi/MYZR5GDdQqNgn8ulQ6kbQSIt8e4+ALTtJfBOP
wSBfwN3CsYKVkhhG+K/frznWlrZ9i82a3aXbNK7Aikm/yUY8cCVZyX68fxeSJvLk
eVZYFnAhLkkaNM9ksLr4Mj8pZBfLqUJZHJYm34hU8KiFvxkglHrkNY/0ukBSwIek
9+VcAETM4+5Hebxz/1dJWXM0wKAO9WlxjL5mjqWPx0ccNj+7+c9KUVMjPI0iNDWr
5a94CyvwOb07ESKYQZ4Kt+QkjBe6ku0ruq4yzSux06hsxj8Br1qZbnjH3NsT2MCF
ar+Sjc8TvrbOR4SbKWaaPaKndCYu/HqIGzfjG8FxVwQ/1Xs3ZiXASzoiea0lNAhJ
xzu+ygwE/dtL+hGSsm291siAZ65XH5bxAyPmt1U4MxsjoRB9LDf5Kr/A8ok83mcd
0ooNv51jp2GPlhtcpG1qpquuK6+aA7LlhPU+VHUoeTKuthqtnfM=
=OGJH
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 8 Feb 2018 21:19
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30378-done@debbugs.gnu.org)
20180208201903.GB21732@jasmine.lan
On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
Toggle quote (19 lines)
> Tags: security
>
> Hello,
>
> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
> into playing unsafe url returned by youtube-dl.
>

> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 7 Feb 2018 14:39:40 +0800
> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
>
> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/video.scm (mpv)[source]: Use them.

Pushed as e61da2e8848782052d6d5d69f111520a7f772e52
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp8sLcACgkQJkb6MLrK
fwhRXQ//RaZVFtezmFT35SVxD+ScOa1++LBgSvj6m9hMMqELXb4pk6DOmVfgmNJY
922DbT5tF089EdaMiKCcIV2uHSqu7D3R0EL1/IhEmMcGD+VHt93w6EmRbjzqqe9Y
SxYNVOt3C7j18DO/29z79vlhKv4LaYlN+XIwZPu59o7rsPUrA+LNPcg/m6jgPDZA
zyZKQKL+ewUYGdbfTdQcz2yh4RWbk3QmYtu9sdd5iBxy5JF45INMILBQJhRzUOxm
ZUKU4opK0DNwVZtfXSHgKC79JLeJnDWpLKW8mQYu84p7wB84JmkOfAEHWyO+ecUP
r5x44NWvPNPdHvfKFtUJXAHQxMn+ZxEZ4qAtYeMM2eYEbCMIS3JeM044H1LaYUvC
m8jLkc9bMQsOMaZC5lNuzus3DdlMwgQfdrByxqrcT57N4/CNljedViwIt4taRcua
b5iZnMfoY35DmDRr5lxBdGM0Q+Yj5de+TEdVBYIugiGdRm4St1a878+mCbMuu/5e
RS267JjiZKLr6Q2zm/4g0xR1mnJYT/Ros+jHrtraCcutR7i+o4IRoWuXfQRNPKhg
mcPmZzjispTe+t/jwoK0zQPtznPscJdP3dEFqFyxbehaKf3Gbmw8HDOpHu/9+zHp
LaDXj/C6Kf1cIMCTPMfC5ryyDRiXNtmQ8Qiw/72aDxBUUEvhvaA=
=5Our
-----END PGP SIGNATURE-----


Closed
?