On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
> Tags: security
> 
> Hello,
> 
> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
> into playing unsafe url returned by youtube-dl.

> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 7 Feb 2018 14:39:40 +0800
> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
> 
> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/video.scm (mpv)[source]: Use them.

Thank you very much for putting this patch together!

I noticed that the person who fixed the bug upstream said that 4 commits
were needed [0], but this patch (and Debian's and Nix's) are missing the
first in that person's list, 828bd2963cd10.

I'm going to ask upstream to clarify but, in the meantime, do you know
why this patch is not included?

[0]
https://github.com/mpv-player/mpv/issues/5456#issuecomment-362442132