Leo Famulari writes: > On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote: >> Tags: security >> >> Hello, >> >> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked >> into playing unsafe url returned by youtube-dl. > >> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001 >> From: Alex Vong >> Date: Wed, 7 Feb 2018 14:39:40 +0800 >> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360. >> >> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch, >> gnu/packages/patches/mpv-CVE-2018-6360-2.patch, >> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Add them. >> * gnu/packages/video.scm (mpv)[source]: Use them. > > Thank you very much for putting this patch together! > :-) > I noticed that the person who fixed the bug upstream said that 4 commits > were needed [0], but this patch (and Debian's and Nix's) are missing the > first in that person's list, 828bd2963cd10. > > I'm going to ask upstream to clarify but, in the meantime, do you know > why this patch is not included? > I have no idea about this. I think we should wait for the author to tell us what they think. Here is a new patch with the 4 commits: