From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55967) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ejrgy-00056W-AM for guix-patches@gnu.org; Thu, 08 Feb 2018 14:17:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ejrgs-000587-Dk for guix-patches@gnu.org; Thu, 08 Feb 2018 14:17:08 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:54661) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ejrgs-00057n-4p for guix-patches@gnu.org; Thu, 08 Feb 2018 14:17:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ejrgr-0003n6-PF for guix-patches@gnu.org; Thu, 08 Feb 2018 14:17:01 -0500 Subject: [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360. Resent-Message-ID: Date: Thu, 8 Feb 2018 14:16:06 -0500 From: Leo Famulari Message-ID: <20180208191606.GA21732@jasmine.lan> References: <87tvuts33b.fsf@gmail.com> <20180208024417.GB16980@jasmine.lan> <87mv0kqb67.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline In-Reply-To: <87mv0kqb67.fsf@gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Alex Vong Cc: 30378@debbugs.gnu.org --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Feb 08, 2018 at 01:53:52PM +0800, Alex Vong wrote: > Leo Famulari writes: > > I noticed that the person who fixed the bug upstream said that 4 commits > > were needed [0], but this patch (and Debian's and Nix's) are missing the > > first in that person's list, 828bd2963cd10. > > > > I'm going to ask upstream to clarify but, in the meantime, do you know > > why this patch is not included? > > > I have no idea about this. I think we should wait for the author to tell > us what they think. Here is a new patch with the 4 commits: Upstream clarified that the "missing" commit is not actually necessary here: "Yeah, nevermind. Being able to use the native dash demuxer is not necessary for the security fixes." https://github.com/mpv-player/mpv/issues/5456#issuecomment-364087205 So I'm going to test and push your original patch shortly. --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlp8oe8ACgkQJkb6MLrK fwgr3hAAwBBhmRigw/flKfzCjQdnr4xUPye02XE33QdVHaMbsjjTk3Q4lzoAOlFb 7jJBxsDrBnr3GxEP1QIJoxBmGvcRAQYn70gI4OjdPWDZeAC7ttNVTKyUvuUcMKWp bHW2VAq42kstOBa8GxMwS2HhrrLEAkOvJQcOZOjiR3OqcDiOqFPUIaCSojCCKlyq 4BMo1tp+IpGfIWpICQHuKQbrZi/MYZR5GDdQqNgn8ulQ6kbQSIt8e4+ALTtJfBOP wSBfwN3CsYKVkhhG+K/frznWlrZ9i82a3aXbNK7Aikm/yUY8cCVZyX68fxeSJvLk eVZYFnAhLkkaNM9ksLr4Mj8pZBfLqUJZHJYm34hU8KiFvxkglHrkNY/0ukBSwIek 9+VcAETM4+5Hebxz/1dJWXM0wKAO9WlxjL5mjqWPx0ccNj+7+c9KUVMjPI0iNDWr 5a94CyvwOb07ESKYQZ4Kt+QkjBe6ku0ruq4yzSux06hsxj8Br1qZbnjH3NsT2MCF ar+Sjc8TvrbOR4SbKWaaPaKndCYu/HqIGzfjG8FxVwQ/1Xs3ZiXASzoiea0lNAhJ xzu+ygwE/dtL+hGSsm291siAZ65XH5bxAyPmt1U4MxsjoRB9LDf5Kr/A8ok83mcd 0ooNv51jp2GPlhtcpG1qpquuK6+aA7LlhPU+VHUoeTKuthqtnfM= =OGJH -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE--