mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 05:18:07 -05:00
gnu: mpv: Fix CVE-2018-6360.
* gnu/packages/patches/mpv-CVE-2018-6360-1.patch, gnu/packages/patches/mpv-CVE-2018-6360-2.patch, gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/video.scm (mpv)[source]: Use them. Signed-off-by: Leo Famulari <leo@famulari.name>
This commit is contained in:
parent
30335a2963
commit
e61da2e884
5 changed files with 289 additions and 2 deletions
|
@ -9,7 +9,7 @@
|
|||
# Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org>
|
||||
# Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
|
||||
# Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
|
||||
# Copyright © 2016, 2017 Alex Vong <alexvong1995@gmail.com>
|
||||
# Copyright © 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com>
|
||||
# Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
|
||||
# Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org>
|
||||
# Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
|
||||
|
@ -909,6 +909,9 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/mhash-keygen-test-segfault.patch \
|
||||
%D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \
|
||||
%D%/packages/patches/mpc123-initialize-ao.patch \
|
||||
%D%/packages/patches/mpv-CVE-2018-6360-1.patch \
|
||||
%D%/packages/patches/mpv-CVE-2018-6360-2.patch \
|
||||
%D%/packages/patches/mpv-CVE-2018-6360-3.patch \
|
||||
%D%/packages/patches/module-init-tools-moduledir.patch \
|
||||
%D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \
|
||||
%D%/packages/patches/mozjs17-aarch64-support.patch \
|
||||
|
|
138
gnu/packages/patches/mpv-CVE-2018-6360-1.patch
Normal file
138
gnu/packages/patches/mpv-CVE-2018-6360-1.patch
Normal file
|
@ -0,0 +1,138 @@
|
|||
Fix CVE-2018-6360:
|
||||
|
||||
https://github.com/mpv-player/mpv/issues/5456
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
|
||||
https://security-tracker.debian.org/tracker/CVE-2018-6360
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
|
||||
|
||||
To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4
|
||||
checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available
|
||||
for the 0.28.0 release. So it should be safe to remove hunk #4.
|
||||
|
||||
From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Constantino <wiiaboo@gmail.com>
|
||||
Date: Fri, 26 Jan 2018 01:19:04 +0000
|
||||
Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from
|
||||
youtube-dl
|
||||
|
||||
Not very clean since there's a lot of potential unsafe urls that youtube-dl
|
||||
can give us, depending on whether it's a single url, split tracks,
|
||||
playlists, segmented dash, etc.
|
||||
---
|
||||
player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 47 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
|
||||
index dd96ecc01d..b480c21625 100644
|
||||
--- a/player/lua/ytdl_hook.lua
|
||||
+++ b/player/lua/ytdl_hook.lua
|
||||
@@ -16,6 +16,18 @@ local ytdl = {
|
||||
|
||||
local chapter_list = {}
|
||||
|
||||
+function Set (t)
|
||||
+ local set = {}
|
||||
+ for _, v in pairs(t) do set[v] = true end
|
||||
+ return set
|
||||
+end
|
||||
+
|
||||
+local safe_protos = Set {
|
||||
+ "http", "https", "ftp", "ftps",
|
||||
+ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
|
||||
+ "data"
|
||||
+}
|
||||
+
|
||||
local function exec(args)
|
||||
local ret = utils.subprocess({args = args})
|
||||
return ret.status, ret.stdout, ret
|
||||
@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)
|
||||
|
||||
for i = offset, #fragments do
|
||||
local fragment = fragments[i]
|
||||
+ if not url_is_safe(join_url(base, fragment)) then
|
||||
+ return nil
|
||||
+ end
|
||||
table.insert(parts, edl_escape(join_url(base, fragment)))
|
||||
if fragment.duration then
|
||||
parts[#parts] =
|
||||
@@ -208,6 +223,15 @@ local function proto_is_dash(json)
|
||||
or json["protocol"] == "http_dash_segments"
|
||||
end
|
||||
|
||||
+local function url_is_safe(url)
|
||||
+ local proto = type(url) == "string" and url:match("^(.+)://") or nil
|
||||
+ local safe = proto and safe_protos[proto]
|
||||
+ if not safe then
|
||||
+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
|
||||
+ end
|
||||
+ return safe
|
||||
+end
|
||||
+
|
||||
local function add_single_video(json)
|
||||
local streamurl = ""
|
||||
local max_bitrate = 0
|
||||
@@ -238,14 +264,18 @@ local function add_single_video(json)
|
||||
edl_track = edl_track_joined(track.fragments,
|
||||
track.protocol, json.is_live,
|
||||
track.fragment_base_url)
|
||||
+ local url = edl_track or track.url
|
||||
+ if not url_is_safe(url) then
|
||||
+ return
|
||||
+ end
|
||||
if track.acodec and track.acodec ~= "none" then
|
||||
-- audio track
|
||||
mp.commandv("audio-add",
|
||||
- edl_track or track.url, "auto",
|
||||
+ url, "auto",
|
||||
track.format_note or "")
|
||||
elseif track.vcodec and track.vcodec ~= "none" then
|
||||
-- video track
|
||||
- streamurl = edl_track or track.url
|
||||
+ streamurl = url
|
||||
end
|
||||
end
|
||||
|
||||
@@ -264,7 +294,13 @@ local function add_single_video(json)
|
||||
|
||||
msg.debug("streamurl: " .. streamurl)
|
||||
|
||||
- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
|
||||
+ streamurl = streamurl:gsub("^data:", "data://", 1)
|
||||
+
|
||||
+ if not url_is_safe(streamurl) then
|
||||
+ return
|
||||
+ end
|
||||
+
|
||||
+ mp.set_property("stream-open-filename", streamurl)
|
||||
|
||||
mp.set_property("file-local-options/force-media-title", json.title)
|
||||
|
||||
@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
|
||||
site = entry["webpage_url"]
|
||||
end
|
||||
|
||||
- if not (site:find("https?://") == 1) then
|
||||
- site = "ytdl://" .. site
|
||||
+ -- links with only youtube id as returned by --flat-playlist
|
||||
+ if not site:find("://") then
|
||||
+ table.insert(playlist, "ytdl://" .. site)
|
||||
+ elseif url_is_safe(site) then
|
||||
+ table.insert(playlist, site)
|
||||
end
|
||||
- table.insert(playlist, site)
|
||||
|
||||
end
|
||||
|
||||
- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
|
||||
+ if #playlist > 0 then
|
||||
+ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
|
||||
+ end
|
||||
end
|
||||
|
||||
else -- probably a video
|
||||
--
|
||||
2.16.1
|
||||
|
59
gnu/packages/patches/mpv-CVE-2018-6360-2.patch
Normal file
59
gnu/packages/patches/mpv-CVE-2018-6360-2.patch
Normal file
|
@ -0,0 +1,59 @@
|
|||
Fix CVE-2018-6360:
|
||||
|
||||
https://github.com/mpv-player/mpv/issues/5456
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
|
||||
https://security-tracker.debian.org/tracker/CVE-2018-6360
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
|
||||
|
||||
From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Constantino <wiiaboo@gmail.com>
|
||||
Date: Fri, 26 Jan 2018 11:26:27 +0000
|
||||
Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
|
||||
|
||||
lua isn't javascript.
|
||||
---
|
||||
player/lua/ytdl_hook.lua | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
|
||||
index b480c21625..458c94af38 100644
|
||||
--- a/player/lua/ytdl_hook.lua
|
||||
+++ b/player/lua/ytdl_hook.lua
|
||||
@@ -84,6 +84,15 @@ local function edl_escape(url)
|
||||
return "%" .. string.len(url) .. "%" .. url
|
||||
end
|
||||
|
||||
+local function url_is_safe(url)
|
||||
+ local proto = type(url) == "string" and url:match("^(.+)://") or nil
|
||||
+ local safe = proto and safe_protos[proto]
|
||||
+ if not safe then
|
||||
+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
|
||||
+ end
|
||||
+ return safe
|
||||
+end
|
||||
+
|
||||
local function time_to_secs(time_string)
|
||||
local ret
|
||||
|
||||
@@ -223,15 +232,6 @@ local function proto_is_dash(json)
|
||||
or json["protocol"] == "http_dash_segments"
|
||||
end
|
||||
|
||||
-local function url_is_safe(url)
|
||||
- local proto = type(url) == "string" and url:match("^(.+)://") or nil
|
||||
- local safe = proto and safe_protos[proto]
|
||||
- if not safe then
|
||||
- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
|
||||
- end
|
||||
- return safe
|
||||
-end
|
||||
-
|
||||
local function add_single_video(json)
|
||||
local streamurl = ""
|
||||
local max_bitrate = 0
|
||||
--
|
||||
2.16.1
|
||||
|
84
gnu/packages/patches/mpv-CVE-2018-6360-3.patch
Normal file
84
gnu/packages/patches/mpv-CVE-2018-6360-3.patch
Normal file
|
@ -0,0 +1,84 @@
|
|||
Fix CVE-2018-6360:
|
||||
|
||||
https://github.com/mpv-player/mpv/issues/5456
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
|
||||
https://security-tracker.debian.org/tracker/CVE-2018-6360
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828
|
||||
|
||||
From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Constantino <wiiaboo@gmail.com>
|
||||
Date: Fri, 26 Jan 2018 18:54:17 +0000
|
||||
Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls
|
||||
|
||||
---
|
||||
player/lua/ytdl_hook.lua | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
|
||||
index 458c94af38..6c8e78657d 100644
|
||||
--- a/player/lua/ytdl_hook.lua
|
||||
+++ b/player/lua/ytdl_hook.lua
|
||||
@@ -264,18 +264,17 @@ local function add_single_video(json)
|
||||
edl_track = edl_track_joined(track.fragments,
|
||||
track.protocol, json.is_live,
|
||||
track.fragment_base_url)
|
||||
- local url = edl_track or track.url
|
||||
- if not url_is_safe(url) then
|
||||
+ if not edl_track and not url_is_safe(track.url) then
|
||||
return
|
||||
end
|
||||
if track.acodec and track.acodec ~= "none" then
|
||||
-- audio track
|
||||
mp.commandv("audio-add",
|
||||
- url, "auto",
|
||||
+ edl_track or track.url, "auto",
|
||||
track.format_note or "")
|
||||
elseif track.vcodec and track.vcodec ~= "none" then
|
||||
-- video track
|
||||
- streamurl = url
|
||||
+ streamurl = edl_track or track.url
|
||||
end
|
||||
end
|
||||
|
||||
@@ -284,6 +283,9 @@ local function add_single_video(json)
|
||||
edl_track = edl_track_joined(json.fragments, json.protocol,
|
||||
json.is_live, json.fragment_base_url)
|
||||
|
||||
+ if not edl_track and not url_is_safe(json.url) then
|
||||
+ return
|
||||
+ end
|
||||
-- normal video or single track
|
||||
streamurl = edl_track or json.url
|
||||
set_http_headers(json.http_headers)
|
||||
@@ -294,13 +296,7 @@ local function add_single_video(json)
|
||||
|
||||
msg.debug("streamurl: " .. streamurl)
|
||||
|
||||
- streamurl = streamurl:gsub("^data:", "data://", 1)
|
||||
-
|
||||
- if not url_is_safe(streamurl) then
|
||||
- return
|
||||
- end
|
||||
-
|
||||
- mp.set_property("stream-open-filename", streamurl)
|
||||
+ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
|
||||
|
||||
mp.set_property("file-local-options/force-media-title", json.title)
|
||||
|
||||
@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
|
||||
|
||||
msg.debug("EDL: " .. playlist)
|
||||
|
||||
+ if not playlist then
|
||||
+ return
|
||||
+ end
|
||||
+
|
||||
-- can't change the http headers for each entry, so use the 1st
|
||||
if json.entries[1] then
|
||||
set_http_headers(json.entries[1].http_headers)
|
||||
--
|
||||
2.16.1
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
|
||||
;;; Copyright © 2015 Andy Patterson <ajpatter@uwaterloo.ca>
|
||||
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
|
||||
;;; Copyright © 2015, 2016, 2017 Alex Vong <alexvong1995@gmail.com>
|
||||
;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com>
|
||||
;;; Copyright © 2016, 2017 Alex Griffin <a@ajgrf.com>
|
||||
;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
|
||||
;;; Copyright © 2016 Dmitry Nikolaev <cameltheman@gmail.com>
|
||||
|
@ -1018,6 +1018,9 @@ (define-public mpv
|
|||
(sha256
|
||||
(base32
|
||||
"1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f"))
|
||||
(patches (search-patches "mpv-CVE-2018-6360-1.patch"
|
||||
"mpv-CVE-2018-6360-2.patch"
|
||||
"mpv-CVE-2018-6360-3.patch"))
|
||||
(file-name (string-append name "-" version ".tar.gz"))))
|
||||
(build-system waf-build-system)
|
||||
(native-inputs
|
||||
|
|
Loading…
Reference in a new issue