[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#889892: mpv: fix for CVE-2018-6360 breaks youtube playlists

Hi,

On 08/02/18 11:36, James Cowgill wrote:
> On 07/02/18 23:16, James Cowgill wrote:
>> Hi,
>>
>> On 07/02/18 21:39, Marc Becker wrote:
>>> Package: mpv
>>> Version: 0.23.0-2+deb9u1
>>> Followup-For: Bug #888654
>>>
>>> Patch to line 264 via 08_ytdl-hook-whitelist-protocols.patch is incorrect,
>>> check is applied to raw Youtube ID instead of valid url and always fails as
>>> a result.
>>>
>>> Suggestions: no checking of raw IDs (skipped in upstream fix as well)
>>
>> Yes I think you're right. It's also broken in sid too (but not in
>> experimental). I think I got thrown off by newer mpv distinguishing
>> between youtube ids and non youtube ids.
> 
> Cloning a new bug to track the regression.

I think the attached patch will fix this (which I have also just
uploaded to unstable).

Also available here:
https://salsa.debian.org/multimedia-team/mpv/compare/debian%2F0.23.0-2+deb9u1...debian%2Fstretch

This incorporates this upstream commit which fixes a different issue,
but by doing so allows me to copy upstream's fix:
https://github.com/mpv-player/mpv/commit/1623430b200c7bf67ec19bcab13ccbe9a494d2c7

Sorry for missing this in my first patch!

James

diff --git a/debian/changelog b/debian/changelog
index 346e88c..b68ace0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+mpv (0.23.0-2+deb9u2) stretch-security; urgency=high
+
+  * debian/patches/08_ytdl-hook-whitelist-protocols.patch:
+    - Fix regression in CVE-2018-6360 patch which broke youtube playlists.
+      (Closes: #889892)
+
+ -- James Cowgill <jcowgill@debian.org>  Thu, 08 Feb 2018 12:27:06 +0000
+
 mpv (0.23.0-2+deb9u1) stretch-security; urgency=high
 
   * debian/patches/08_ytdl-hook-whitelist-protocols.patch:
diff --git a/debian/patches/08_ytdl-hook-whitelist-protocols.patch b/debian/patches/08_ytdl-hook-whitelist-protocols.patch
index 0212bdb..7487f82 100644
--- a/debian/patches/08_ytdl-hook-whitelist-protocols.patch
+++ b/debian/patches/08_ytdl-hook-whitelist-protocols.patch
@@ -10,6 +10,7 @@ Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl
 Author: Ricardo Constantino <wiiaboo@gmail.com>
 Bug: https://github.com/mpv-player/mpv/issues/5456
 Bug-Debian: https://bugs.debian.org/888654
+Bug-Debian: https://bugs.debian.org/889892
 Applied-Upstream: v0.29
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
@@ -61,18 +62,20 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
                      playlist = playlist .. edl_escape(entry.url)
                      if not (entry.duration == nil) then
                          playlist = playlist..",start=0,length="..entry.duration
-@@ -261,7 +285,9 @@ mp.add_hook("on_load", 10, function ()
+@@ -261,7 +285,11 @@ mp.add_hook("on_load", 10, function ()
                          site = entry["webpage_url"]
                      end
  
 -                    playlist = playlist .. "ytdl://" .. site .. "\n"
-+                    if url_is_safe(site) then
++                    if not site:find("://") then
 +                        playlist = playlist .. "ytdl://" .. site .. "\n"
++                    elseif url_is_safe(site) then
++                        playlist = playlist .. site .. "\n"
 +                    end
                  end
  
                  mp.set_property("stream-open-filename", "memory://" .. playlist)
-@@ -279,14 +305,24 @@ mp.add_hook("on_load", 10, function ()
+@@ -279,14 +307,24 @@ mp.add_hook("on_load", 10, function ()
  
                  -- video url
                  streamurl = json["requested_formats"][1].url

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: