* [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
@ 2018-02-07 6:53 Alex Vong
2018-02-07 6:59 ` Alex Vong
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Alex Vong @ 2018-02-07 6:53 UTC (permalink / raw)
To: 30378
[-- Attachment #1: Type: text/plain, Size: 142 bytes --]
Tags: security
Hello,
This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
into playing unsafe url returned by youtube-dl.
[-- Attachment #2: 0001-gnu-mpv-Fix-CVE-2018-6360.patch --]
[-- Type: text/x-diff, Size: 14529 bytes --]
From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 7 Feb 2018 14:39:40 +0800
Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
* gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/video.scm (mpv)[source]: Use them.
---
gnu/local.mk | 5 +-
gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 138 +++++++++++++++++++++++++
gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 59 +++++++++++
gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 84 +++++++++++++++
gnu/packages/video.scm | 5 +-
5 files changed, 289 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-1.patch
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-2.patch
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-3.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index ca400dae6..0d3da924d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -9,7 +9,7 @@
# Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org>
# Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
# Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
-# Copyright © 2016, 2017 Alex Vong <alexvong1995@gmail.com>
+# Copyright © 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com>
# Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
# Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org>
# Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -911,6 +911,9 @@ dist_patch_DATA = \
%D%/packages/patches/mhash-keygen-test-segfault.patch \
%D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \
%D%/packages/patches/mpc123-initialize-ao.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-1.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-2.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-3.patch \
%D%/packages/patches/module-init-tools-moduledir.patch \
%D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \
%D%/packages/patches/mozjs17-aarch64-support.patch \
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
new file mode 100644
index 000000000..55fc7daaf
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
@@ -0,0 +1,138 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
+
+To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4
+checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available
+for the 0.28.0 release. So it should be safe to remove hunk #4.
+
+From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 01:19:04 +0000
+Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from
+ youtube-dl
+
+Not very clean since there's a lot of potential unsafe urls that youtube-dl
+can give us, depending on whether it's a single url, split tracks,
+playlists, segmented dash, etc.
+---
+ player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 47 insertions(+), 7 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index dd96ecc01d..b480c21625 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -16,6 +16,18 @@ local ytdl = {
+
+ local chapter_list = {}
+
++function Set (t)
++ local set = {}
++ for _, v in pairs(t) do set[v] = true end
++ return set
++end
++
++local safe_protos = Set {
++ "http", "https", "ftp", "ftps",
++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
++ "data"
++}
++
+ local function exec(args)
+ local ret = utils.subprocess({args = args})
+ return ret.status, ret.stdout, ret
+@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)
+
+ for i = offset, #fragments do
+ local fragment = fragments[i]
++ if not url_is_safe(join_url(base, fragment)) then
++ return nil
++ end
+ table.insert(parts, edl_escape(join_url(base, fragment)))
+ if fragment.duration then
+ parts[#parts] =
+@@ -208,6 +223,15 @@ local function proto_is_dash(json)
+ or json["protocol"] == "http_dash_segments"
+ end
+
++local function url_is_safe(url)
++ local proto = type(url) == "string" and url:match("^(.+)://") or nil
++ local safe = proto and safe_protos[proto]
++ if not safe then
++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++ end
++ return safe
++end
++
+ local function add_single_video(json)
+ local streamurl = ""
+ local max_bitrate = 0
+@@ -238,14 +264,18 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(track.fragments,
+ track.protocol, json.is_live,
+ track.fragment_base_url)
++ local url = edl_track or track.url
++ if not url_is_safe(url) then
++ return
++ end
+ if track.acodec and track.acodec ~= "none" then
+ -- audio track
+ mp.commandv("audio-add",
+- edl_track or track.url, "auto",
++ url, "auto",
+ track.format_note or "")
+ elseif track.vcodec and track.vcodec ~= "none" then
+ -- video track
+- streamurl = edl_track or track.url
++ streamurl = url
+ end
+ end
+
+@@ -264,7 +294,13 @@ local function add_single_video(json)
+
+ msg.debug("streamurl: " .. streamurl)
+
+- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
++ streamurl = streamurl:gsub("^data:", "data://", 1)
++
++ if not url_is_safe(streamurl) then
++ return
++ end
++
++ mp.set_property("stream-open-filename", streamurl)
+
+ mp.set_property("file-local-options/force-media-title", json.title)
+
+@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
+ site = entry["webpage_url"]
+ end
+
+- if not (site:find("https?://") == 1) then
+- site = "ytdl://" .. site
++ -- links with only youtube id as returned by --flat-playlist
++ if not site:find("://") then
++ table.insert(playlist, "ytdl://" .. site)
++ elseif url_is_safe(site) then
++ table.insert(playlist, site)
+ end
+- table.insert(playlist, site)
+
+ end
+
+- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
++ if #playlist > 0 then
++ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
++ end
+ end
+
+ else -- probably a video
+--
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
new file mode 100644
index 000000000..b37e33a64
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
@@ -0,0 +1,59 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
+
+From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 11:26:27 +0000
+Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
+
+lua isn't javascript.
+---
+ player/lua/ytdl_hook.lua | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index b480c21625..458c94af38 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -84,6 +84,15 @@ local function edl_escape(url)
+ return "%" .. string.len(url) .. "%" .. url
+ end
+
++local function url_is_safe(url)
++ local proto = type(url) == "string" and url:match("^(.+)://") or nil
++ local safe = proto and safe_protos[proto]
++ if not safe then
++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++ end
++ return safe
++end
++
+ local function time_to_secs(time_string)
+ local ret
+
+@@ -223,15 +232,6 @@ local function proto_is_dash(json)
+ or json["protocol"] == "http_dash_segments"
+ end
+
+-local function url_is_safe(url)
+- local proto = type(url) == "string" and url:match("^(.+)://") or nil
+- local safe = proto and safe_protos[proto]
+- if not safe then
+- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
+- end
+- return safe
+-end
+-
+ local function add_single_video(json)
+ local streamurl = ""
+ local max_bitrate = 0
+--
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
new file mode 100644
index 000000000..dc3e272d3
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
@@ -0,0 +1,84 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828
+
+From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 18:54:17 +0000
+Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls
+
+---
+ player/lua/ytdl_hook.lua | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index 458c94af38..6c8e78657d 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -264,18 +264,17 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(track.fragments,
+ track.protocol, json.is_live,
+ track.fragment_base_url)
+- local url = edl_track or track.url
+- if not url_is_safe(url) then
++ if not edl_track and not url_is_safe(track.url) then
+ return
+ end
+ if track.acodec and track.acodec ~= "none" then
+ -- audio track
+ mp.commandv("audio-add",
+- url, "auto",
++ edl_track or track.url, "auto",
+ track.format_note or "")
+ elseif track.vcodec and track.vcodec ~= "none" then
+ -- video track
+- streamurl = url
++ streamurl = edl_track or track.url
+ end
+ end
+
+@@ -284,6 +283,9 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(json.fragments, json.protocol,
+ json.is_live, json.fragment_base_url)
+
++ if not edl_track and not url_is_safe(json.url) then
++ return
++ end
+ -- normal video or single track
+ streamurl = edl_track or json.url
+ set_http_headers(json.http_headers)
+@@ -294,13 +296,7 @@ local function add_single_video(json)
+
+ msg.debug("streamurl: " .. streamurl)
+
+- streamurl = streamurl:gsub("^data:", "data://", 1)
+-
+- if not url_is_safe(streamurl) then
+- return
+- end
+-
+- mp.set_property("stream-open-filename", streamurl)
++ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
+
+ mp.set_property("file-local-options/force-media-title", json.title)
+
+@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
+
+ msg.debug("EDL: " .. playlist)
+
++ if not playlist then
++ return
++ end
++
+ -- can't change the http headers for each entry, so use the 1st
+ if json.entries[1] then
+ set_http_headers(json.entries[1].http_headers)
+--
+2.16.1
+
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 8cbe590bf..5865713b8 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -6,7 +6,7 @@
;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2015 Andy Patterson <ajpatter@uwaterloo.ca>
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015, 2016, 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com>
;;; Copyright © 2016, 2017 Alex Griffin <a@ajgrf.com>
;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
;;; Copyright © 2016 Dmitry Nikolaev <cameltheman@gmail.com>
@@ -1018,6 +1018,9 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.")
(sha256
(base32
"1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f"))
+ (patches (search-patches "mpv-CVE-2018-6360-1.patch"
+ "mpv-CVE-2018-6360-2.patch"
+ "mpv-CVE-2018-6360-3.patch"))
(file-name (string-append name "-" version ".tar.gz"))))
(build-system waf-build-system)
(native-inputs
--
2.16.1
[-- Attachment #3: Type: text/plain, Size: 14 bytes --]
Cheers,
Alex
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
2018-02-07 6:53 [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360 Alex Vong
@ 2018-02-07 6:59 ` Alex Vong
2018-02-08 2:44 ` Leo Famulari
2018-02-08 20:19 ` bug#30378: " Leo Famulari
2 siblings, 0 replies; 6+ messages in thread
From: Alex Vong @ 2018-02-07 6:59 UTC (permalink / raw)
To: 30378
BTW, I forget to mention that I remove hunk #4 from the first patch
since it checks if 'mpd_url' is safe, but the feature of 'mpd_url' is
not available in the 0.28.0 release yet. So I think it should be fine.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
2018-02-07 6:53 [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360 Alex Vong
2018-02-07 6:59 ` Alex Vong
@ 2018-02-08 2:44 ` Leo Famulari
2018-02-08 5:53 ` Alex Vong
2018-02-08 20:19 ` bug#30378: " Leo Famulari
2 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2018-02-08 2:44 UTC (permalink / raw)
To: Alex Vong; +Cc: 30378
[-- Attachment #1: Type: text/plain, Size: 1133 bytes --]
On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
> Tags: security
>
> Hello,
>
> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
> into playing unsafe url returned by youtube-dl.
> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 7 Feb 2018 14:39:40 +0800
> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
>
> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/video.scm (mpv)[source]: Use them.
Thank you very much for putting this patch together!
I noticed that the person who fixed the bug upstream said that 4 commits
were needed [0], but this patch (and Debian's and Nix's) are missing the
first in that person's list, 828bd2963cd10.
I'm going to ask upstream to clarify but, in the meantime, do you know
why this patch is not included?
[0]
https://github.com/mpv-player/mpv/issues/5456#issuecomment-362442132
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
2018-02-08 2:44 ` Leo Famulari
@ 2018-02-08 5:53 ` Alex Vong
2018-02-08 19:16 ` Leo Famulari
0 siblings, 1 reply; 6+ messages in thread
From: Alex Vong @ 2018-02-08 5:53 UTC (permalink / raw)
To: Leo Famulari; +Cc: 30378
[-- Attachment #1: Type: text/plain, Size: 1246 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
>> Tags: security
>>
>> Hello,
>>
>> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
>> into playing unsafe url returned by youtube-dl.
>
>> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Wed, 7 Feb 2018 14:39:40 +0800
>> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
>>
>> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
>> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
>> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/video.scm (mpv)[source]: Use them.
>
> Thank you very much for putting this patch together!
>
:-)
> I noticed that the person who fixed the bug upstream said that 4 commits
> were needed [0], but this patch (and Debian's and Nix's) are missing the
> first in that person's list, 828bd2963cd10.
>
> I'm going to ask upstream to clarify but, in the meantime, do you know
> why this patch is not included?
>
I have no idea about this. I think we should wait for the author to tell
us what they think. Here is a new patch with the 4 commits:
[-- Attachment #2: 0001-gnu-mpv-Fix-CVE-2018-6360.patch --]
[-- Type: text/x-diff, Size: 19942 bytes --]
From 6891f7c24fdd90953454c8fdf68baade394eb9ba Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 7 Feb 2018 14:39:40 +0800
Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
* gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
gnu/packages/patches/mpv-CVE-2018-6360-3.patch,
gnu/packages/patches/mpv-CVE-2018-6360-4.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/video.scm (mpv)[source]: Use them.
---
gnu/local.mk | 6 +-
gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 133 ++++++++++++++++++++++++
gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 138 +++++++++++++++++++++++++
gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 59 +++++++++++
gnu/packages/patches/mpv-CVE-2018-6360-4.patch | 84 +++++++++++++++
gnu/packages/video.scm | 6 +-
6 files changed, 424 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-1.patch
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-2.patch
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-3.patch
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-4.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 3f0023a2f..b0b4ca482 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -9,7 +9,7 @@
# Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org>
# Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
# Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
-# Copyright © 2016, 2017 Alex Vong <alexvong1995@gmail.com>
+# Copyright © 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com>
# Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
# Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org>
# Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -910,6 +910,10 @@ dist_patch_DATA = \
%D%/packages/patches/mhash-keygen-test-segfault.patch \
%D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \
%D%/packages/patches/mpc123-initialize-ao.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-1.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-2.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-3.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-4.patch \
%D%/packages/patches/module-init-tools-moduledir.patch \
%D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \
%D%/packages/patches/mozjs17-aarch64-support.patch \
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
new file mode 100644
index 000000000..4d48da667
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
@@ -0,0 +1,133 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/828bd2963cd10a851e0a977809687aed4d377dc3
+
+From 828bd2963cd10a851e0a977809687aed4d377dc3 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Tue, 2 Jan 2018 20:46:58 +0000
+Subject: [PATCH] command: add demuxer-lavf-list property
+
+Was only available with --demuxer-lavf-format=help and the demuxer
+needed to be used for it to actually print the list.
+
+This can be used in the future to check if 'dash' support was compiled
+with FFmpeg so ytdl_hook can use it instead. For now, dashdec is too
+rudimentary to be used right away.
+---
+ DOCS/man/input.rst | 4 ++++
+ common/av_common.c | 17 +++++++++++++++++
+ common/av_common.h | 1 +
+ player/command.c | 15 +++++++++++++++
+ 4 files changed, 37 insertions(+)
+
+diff --git a/DOCS/man/input.rst b/DOCS/man/input.rst
+index 16d8ecb45d..0ae4a0c0c8 100644
+--- a/DOCS/man/input.rst
++++ b/DOCS/man/input.rst
+@@ -2119,6 +2119,10 @@ Property list
+ The encoder names (``driver`` entries) can be passed to ``--ovc`` and
+ ``--oac`` (without the ``lavc:`` prefix required by ``--vd`` and ``--ad``).
+
++``demuxer-lavf-list``
++ List of available libavformat demuxers' names. This can be used to check
++ for support for a specific format or use with ``--demuxer-lavf-format``.
++
+ ``mpv-version``
+ Return the mpv version/copyright string. Depending on how the binary was
+ built, it might contain either a release version, or just a git hash.
+diff --git a/common/av_common.c b/common/av_common.c
+index 65a212b994..0599d98465 100644
+--- a/common/av_common.c
++++ b/common/av_common.c
+@@ -26,6 +26,7 @@
+ #include <libavutil/error.h>
+ #include <libavutil/cpu.h>
+ #include <libavcodec/avcodec.h>
++#include <libavformat/avformat.h>
+
+ #include "config.h"
+
+@@ -33,6 +34,7 @@
+ #include "common/msg.h"
+ #include "demux/packet.h"
+ #include "demux/stheader.h"
++#include "misc/bstr.h"
+ #include "video/fmt-conversion.h"
+ #include "av_common.h"
+ #include "codecs.h"
+@@ -246,6 +248,21 @@ void mp_add_lavc_encoders(struct mp_decoder_list *list)
+ }
+ }
+
++char **mp_get_lavf_demuxers(void)
++{
++ char **list = NULL;
++ AVInputFormat *cur = NULL;
++ int num = 0;
++ for (;;) {
++ cur = av_iformat_next(cur);
++ if (!cur)
++ break;
++ MP_TARRAY_APPEND(NULL, list, num, talloc_strdup(NULL, cur->name));
++ }
++ MP_TARRAY_APPEND(NULL, list, num, NULL);
++ return list;
++}
++
+ int mp_codec_to_av_codec_id(const char *codec)
+ {
+ int id = AV_CODEC_ID_NONE;
+diff --git a/common/av_common.h b/common/av_common.h
+index 6d0c823b8d..0e7c838884 100644
+--- a/common/av_common.h
++++ b/common/av_common.h
+@@ -41,6 +41,7 @@ double mp_pts_from_av(int64_t av_pts, AVRational *tb);
+ void mp_set_avcodec_threads(struct mp_log *l, AVCodecContext *avctx, int threads);
+ void mp_add_lavc_decoders(struct mp_decoder_list *list, enum AVMediaType type);
+ void mp_add_lavc_encoders(struct mp_decoder_list *list);
++char **mp_get_lavf_demuxers(void);
+ int mp_codec_to_av_codec_id(const char *codec);
+ const char *mp_codec_from_av_codec_id(int codec_id);
+ void mp_set_avdict(struct AVDictionary **dict, char **kv);
+diff --git a/player/command.c b/player/command.c
+index 6f2c15b047..412afc5e11 100644
+--- a/player/command.c
++++ b/player/command.c
+@@ -3588,6 +3588,20 @@ static int mp_property_encoders(void *ctx, struct m_property *prop,
+ return r;
+ }
+
++static int mp_property_lavf_demuxers(void *ctx, struct m_property *prop,
++ int action, void *arg)
++{
++ switch (action) {
++ case M_PROPERTY_GET:
++ *(char ***)arg = mp_get_lavf_demuxers();
++ return M_PROPERTY_OK;
++ case M_PROPERTY_GET_TYPE:
++ *(struct m_option *)arg = (struct m_option){.type = CONF_TYPE_STRING_LIST};
++ return M_PROPERTY_OK;
++ }
++ return M_PROPERTY_NOT_IMPLEMENTED;
++}
++
+ static int mp_property_version(void *ctx, struct m_property *prop,
+ int action, void *arg)
+ {
+@@ -4027,6 +4041,7 @@ static const struct m_property mp_properties_base[] = {
+ {"protocol-list", mp_property_protocols},
+ {"decoder-list", mp_property_decoders},
+ {"encoder-list", mp_property_encoders},
++ {"demuxer-lavf-list", mp_property_lavf_demuxers},
+
+ {"mpv-version", mp_property_version},
+ {"mpv-configuration", mp_property_configuration},
+--
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
new file mode 100644
index 000000000..55fc7daaf
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
@@ -0,0 +1,138 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
+
+To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4
+checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available
+for the 0.28.0 release. So it should be safe to remove hunk #4.
+
+From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 01:19:04 +0000
+Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from
+ youtube-dl
+
+Not very clean since there's a lot of potential unsafe urls that youtube-dl
+can give us, depending on whether it's a single url, split tracks,
+playlists, segmented dash, etc.
+---
+ player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 47 insertions(+), 7 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index dd96ecc01d..b480c21625 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -16,6 +16,18 @@ local ytdl = {
+
+ local chapter_list = {}
+
++function Set (t)
++ local set = {}
++ for _, v in pairs(t) do set[v] = true end
++ return set
++end
++
++local safe_protos = Set {
++ "http", "https", "ftp", "ftps",
++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
++ "data"
++}
++
+ local function exec(args)
+ local ret = utils.subprocess({args = args})
+ return ret.status, ret.stdout, ret
+@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)
+
+ for i = offset, #fragments do
+ local fragment = fragments[i]
++ if not url_is_safe(join_url(base, fragment)) then
++ return nil
++ end
+ table.insert(parts, edl_escape(join_url(base, fragment)))
+ if fragment.duration then
+ parts[#parts] =
+@@ -208,6 +223,15 @@ local function proto_is_dash(json)
+ or json["protocol"] == "http_dash_segments"
+ end
+
++local function url_is_safe(url)
++ local proto = type(url) == "string" and url:match("^(.+)://") or nil
++ local safe = proto and safe_protos[proto]
++ if not safe then
++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++ end
++ return safe
++end
++
+ local function add_single_video(json)
+ local streamurl = ""
+ local max_bitrate = 0
+@@ -238,14 +264,18 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(track.fragments,
+ track.protocol, json.is_live,
+ track.fragment_base_url)
++ local url = edl_track or track.url
++ if not url_is_safe(url) then
++ return
++ end
+ if track.acodec and track.acodec ~= "none" then
+ -- audio track
+ mp.commandv("audio-add",
+- edl_track or track.url, "auto",
++ url, "auto",
+ track.format_note or "")
+ elseif track.vcodec and track.vcodec ~= "none" then
+ -- video track
+- streamurl = edl_track or track.url
++ streamurl = url
+ end
+ end
+
+@@ -264,7 +294,13 @@ local function add_single_video(json)
+
+ msg.debug("streamurl: " .. streamurl)
+
+- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
++ streamurl = streamurl:gsub("^data:", "data://", 1)
++
++ if not url_is_safe(streamurl) then
++ return
++ end
++
++ mp.set_property("stream-open-filename", streamurl)
+
+ mp.set_property("file-local-options/force-media-title", json.title)
+
+@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
+ site = entry["webpage_url"]
+ end
+
+- if not (site:find("https?://") == 1) then
+- site = "ytdl://" .. site
++ -- links with only youtube id as returned by --flat-playlist
++ if not site:find("://") then
++ table.insert(playlist, "ytdl://" .. site)
++ elseif url_is_safe(site) then
++ table.insert(playlist, site)
+ end
+- table.insert(playlist, site)
+
+ end
+
+- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
++ if #playlist > 0 then
++ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
++ end
+ end
+
+ else -- probably a video
+--
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
new file mode 100644
index 000000000..b37e33a64
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
@@ -0,0 +1,59 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
+
+From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 11:26:27 +0000
+Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
+
+lua isn't javascript.
+---
+ player/lua/ytdl_hook.lua | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index b480c21625..458c94af38 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -84,6 +84,15 @@ local function edl_escape(url)
+ return "%" .. string.len(url) .. "%" .. url
+ end
+
++local function url_is_safe(url)
++ local proto = type(url) == "string" and url:match("^(.+)://") or nil
++ local safe = proto and safe_protos[proto]
++ if not safe then
++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++ end
++ return safe
++end
++
+ local function time_to_secs(time_string)
+ local ret
+
+@@ -223,15 +232,6 @@ local function proto_is_dash(json)
+ or json["protocol"] == "http_dash_segments"
+ end
+
+-local function url_is_safe(url)
+- local proto = type(url) == "string" and url:match("^(.+)://") or nil
+- local safe = proto and safe_protos[proto]
+- if not safe then
+- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
+- end
+- return safe
+-end
+-
+ local function add_single_video(json)
+ local streamurl = ""
+ local max_bitrate = 0
+--
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-4.patch b/gnu/packages/patches/mpv-CVE-2018-6360-4.patch
new file mode 100644
index 000000000..dc3e272d3
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-4.patch
@@ -0,0 +1,84 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828
+
+From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <wiiaboo@gmail.com>
+Date: Fri, 26 Jan 2018 18:54:17 +0000
+Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls
+
+---
+ player/lua/ytdl_hook.lua | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index 458c94af38..6c8e78657d 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -264,18 +264,17 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(track.fragments,
+ track.protocol, json.is_live,
+ track.fragment_base_url)
+- local url = edl_track or track.url
+- if not url_is_safe(url) then
++ if not edl_track and not url_is_safe(track.url) then
+ return
+ end
+ if track.acodec and track.acodec ~= "none" then
+ -- audio track
+ mp.commandv("audio-add",
+- url, "auto",
++ edl_track or track.url, "auto",
+ track.format_note or "")
+ elseif track.vcodec and track.vcodec ~= "none" then
+ -- video track
+- streamurl = url
++ streamurl = edl_track or track.url
+ end
+ end
+
+@@ -284,6 +283,9 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(json.fragments, json.protocol,
+ json.is_live, json.fragment_base_url)
+
++ if not edl_track and not url_is_safe(json.url) then
++ return
++ end
+ -- normal video or single track
+ streamurl = edl_track or json.url
+ set_http_headers(json.http_headers)
+@@ -294,13 +296,7 @@ local function add_single_video(json)
+
+ msg.debug("streamurl: " .. streamurl)
+
+- streamurl = streamurl:gsub("^data:", "data://", 1)
+-
+- if not url_is_safe(streamurl) then
+- return
+- end
+-
+- mp.set_property("stream-open-filename", streamurl)
++ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
+
+ mp.set_property("file-local-options/force-media-title", json.title)
+
+@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
+
+ msg.debug("EDL: " .. playlist)
+
++ if not playlist then
++ return
++ end
++
+ -- can't change the http headers for each entry, so use the 1st
+ if json.entries[1] then
+ set_http_headers(json.entries[1].http_headers)
+--
+2.16.1
+
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 8cbe590bf..8c0743745 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -6,7 +6,7 @@
;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2015 Andy Patterson <ajpatter@uwaterloo.ca>
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015, 2016, 2017 Alex Vong <alexvong1995@gmail.com>
+;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com>
;;; Copyright © 2016, 2017 Alex Griffin <a@ajgrf.com>
;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
;;; Copyright © 2016 Dmitry Nikolaev <cameltheman@gmail.com>
@@ -1018,6 +1018,10 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.")
(sha256
(base32
"1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f"))
+ (patches (search-patches "mpv-CVE-2018-6360-1.patch"
+ "mpv-CVE-2018-6360-2.patch"
+ "mpv-CVE-2018-6360-3.patch"
+ "mpv-CVE-2018-6360-4.patch"))
(file-name (string-append name "-" version ".tar.gz"))))
(build-system waf-build-system)
(native-inputs
--
2.16.1
[-- Attachment #3: Type: text/plain, Size: 78 bytes --]
> [0]
> https://github.com/mpv-player/mpv/issues/5456#issuecomment-362442132
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
2018-02-08 5:53 ` Alex Vong
@ 2018-02-08 19:16 ` Leo Famulari
0 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2018-02-08 19:16 UTC (permalink / raw)
To: Alex Vong; +Cc: 30378
[-- Attachment #1: Type: text/plain, Size: 871 bytes --]
On Thu, Feb 08, 2018 at 01:53:52PM +0800, Alex Vong wrote:
> Leo Famulari <leo@famulari.name> writes:
> > I noticed that the person who fixed the bug upstream said that 4 commits
> > were needed [0], but this patch (and Debian's and Nix's) are missing the
> > first in that person's list, 828bd2963cd10.
> >
> > I'm going to ask upstream to clarify but, in the meantime, do you know
> > why this patch is not included?
> >
> I have no idea about this. I think we should wait for the author to tell
> us what they think. Here is a new patch with the 4 commits:
Upstream clarified that the "missing" commit is not actually necessary
here:
"Yeah, nevermind. Being able to use the native dash demuxer is not
necessary for the security fixes."
https://github.com/mpv-player/mpv/issues/5456#issuecomment-364087205
So I'm going to test and push your original patch shortly.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#30378: [PATCH] gnu: mpv: Fix CVE-2018-6360.
2018-02-07 6:53 [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360 Alex Vong
2018-02-07 6:59 ` Alex Vong
2018-02-08 2:44 ` Leo Famulari
@ 2018-02-08 20:19 ` Leo Famulari
2 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2018-02-08 20:19 UTC (permalink / raw)
To: Alex Vong; +Cc: 30378-done
[-- Attachment #1: Type: text/plain, Size: 756 bytes --]
On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
> Tags: security
>
> Hello,
>
> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
> into playing unsafe url returned by youtube-dl.
>
> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 7 Feb 2018 14:39:40 +0800
> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
>
> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/video.scm (mpv)[source]: Use them.
Pushed as e61da2e8848782052d6d5d69f111520a7f772e52
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-02-08 20:20 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-07 6:53 [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360 Alex Vong
2018-02-07 6:59 ` Alex Vong
2018-02-08 2:44 ` Leo Famulari
2018-02-08 5:53 ` Alex Vong
2018-02-08 19:16 ` Leo Famulari
2018-02-08 20:19 ` bug#30378: " Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).