From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50964) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ejcCw-0001dQ-UV for guix-patches@gnu.org; Wed, 07 Feb 2018 21:45:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ejcCs-0005eb-AP for guix-patches@gnu.org; Wed, 07 Feb 2018 21:45:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:53975) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ejcCs-0005eM-5D for guix-patches@gnu.org; Wed, 07 Feb 2018 21:45:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ejcCr-0000Jn-Os for guix-patches@gnu.org; Wed, 07 Feb 2018 21:45:01 -0500 Subject: [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360. Resent-Message-ID: Date: Wed, 7 Feb 2018 21:44:17 -0500 From: Leo Famulari Message-ID: <20180208024417.GB16980@jasmine.lan> References: <87tvuts33b.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline In-Reply-To: <87tvuts33b.fsf@gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Alex Vong Cc: 30378@debbugs.gnu.org --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote: > Tags: security >=20 > Hello, >=20 > This patch fixes CVE-2018-6360, which is about mpv maybe get tricked > into playing unsafe url returned by youtube-dl. > From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001 > From: Alex Vong > Date: Wed, 7 Feb 2018 14:39:40 +0800 > Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360. >=20 > * gnu/packages/patches/mpv-CVE-2018-6360-1.patch, > gnu/packages/patches/mpv-CVE-2018-6360-2.patch, > gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/video.scm (mpv)[source]: Use them. Thank you very much for putting this patch together! I noticed that the person who fixed the bug upstream said that 4 commits were needed [0], but this patch (and Debian's and Nix's) are missing the first in that person's list, 828bd2963cd10. I'm going to ask upstream to clarify but, in the meantime, do you know why this patch is not included? [0] https://github.com/mpv-player/mpv/issues/5456#issuecomment-362442132 --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp7uYEACgkQJkb6MLrK fwjJOw/9HtL/FoCGUZrS1SCvKWUBaIn/JpBBdWuiqrmeTOQRvE3U49a6EQb1Vx2F rfnmKi8uSJCXSAvJCe9hRVYDWMFrZeRT2tW7rHeEp5vUpNYx/8Cv+5lJnTuP1rBg 5f9rdKezViMJdkszdXg4VjNInQ9TsEMG21pC8Yy4JqgxyD0Z1T8plbXX0mojdKVC kYi0QqhxosZF2r0XI0NWb8TXl0zvOX6+MNs62iOYAEwXycEXP2hxloZzilOAlI0N rQSRFsdZUv2kHyc5b4545v6myJcnUjEaDcvTNo20CZRujGQrCoSfid9aA41XtGJs TN44DdNpl8xQzbAHZLKIjbTWlmUpr5moW80W5NWubnDC7rmmE8XsbbcYPOTTdPCr qQUMQo4RdYokfF32FXz9EJ2cjQ6DO+d4zYPi0C3k6rGDBOPBTKGGoQd/7Divw9PV OwFRk1jdRCCa2N71LGdgGx2OMCTBkhG/PGhVW/7cRxJGd+KJRzPDqPVa/Alubqu7 f7d1ydJO5jFSzPSqwuf3kleJSBcAqXYsVNsr06NjjLJvPGbIiDZmUrgoYQ3UKSe7 pcew57HkJGbz2tjKnBuzYBE+x/Z2aaZTiP9uNTsXZILkdxVA+yZRKNOJu+ntZ+yb pOkuWu4umuxexaWhVIvFup42mnUL2r9W1nokZD3AY+cMq5ViZEg= =GzhW -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2--