Bug#888654: marked as done (mpv: CVE-2018-6360)
Your message dated Sat, 10 Feb 2018 21:02:58 +0000
with message-id <E1ekcIU-000BEs-1g@fasolo.debian.org>
and subject line Bug#888654: fixed in mpv 0.23.0-2+deb9u1
has caused the Debian Bug report #888654,
regarding mpv: CVE-2018-6360
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
888654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888654
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: mpv: CVE-2018-6360
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 28 Jan 2018 14:17:47 +0100
- Message-id: <151714546768.824.17792410564662982715.reportbug@eldamar.local>
Source: mpv
Version: 0.23.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/mpv-player/mpv/issues/5456
Hi,
the following vulnerability was published for mpv.
CVE-2018-6360[0]:
| mpv through 0.28.0 allows remote attackers to execute arbitrary code
| via a crafted web site, because it reads HTML documents containing
| VIDEO elements, and accepts arbitrary URLs in a src attribute without a
| protocol whitelist in player/lua/ytdl_hook.lua. For example, an
| av://lavfi:ladspa=file= URL signifies that the product should call
| dlopen on a shared object file located at an arbitrary local pathname.
| The issue exists because the product does not consider that youtube-dl
| can provide a potentially unsafe URL.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-6360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
[1] https://github.com/mpv-player/mpv/issues/5456
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mpv
Source-Version: 0.23.0-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
mpv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888654@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated mpv package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Feb 2018 15:05:34 +0100
Source: mpv
Binary: mpv libmpv1 libmpv-dev mplayer2
Architecture: source
Version: 0.23.0-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
libmpv-dev - video player based on MPlayer/mplayer2 (client library dev files)
libmpv1 - video player based on MPlayer/mplayer2 (client library)
mplayer2 - transitional dummy package for mpv
mpv - video player based on MPlayer/mplayer2
Closes: 888654
Changes:
mpv (0.23.0-2+deb9u1) stretch-security; urgency=high
.
* debian/patches/08_ytdl-hook-whitelist-protocols.patch:
- Add patch which whitelists protocols received from youtube-dl.
Fixes CVE-2018-6360. (Closes: #888654)
Checksums-Sha1:
3a465e5946dddf0a088c08d82fbe0d12dc49b1f9 2964 mpv_0.23.0-2+deb9u1.dsc
99df32c3fdeece2e01ff6bc112586b13f10cffb9 2812103 mpv_0.23.0.orig.tar.gz
2515141ca0efaf4fa377b20b0e3d0a1d427c81a9 101888 mpv_0.23.0-2+deb9u1.debian.tar.xz
7ad4f761213960d10cd5ef7c5c5d1b79dfd56d92 12306 mpv_0.23.0-2+deb9u1_source.buildinfo
Checksums-Sha256:
be7c21a267e339e22c0e388b2101e78e66af88d0d7cffa3d7432520620d5ab8d 2964 mpv_0.23.0-2+deb9u1.dsc
8aeefe5970587dfc454d2b89726b603f156bd7a9ae427654eef0d60c68d94998 2812103 mpv_0.23.0.orig.tar.gz
170c93ad37524b512afbb3839c1d28ebf70784ce37d3849ec7b2ccbaf83ab168 101888 mpv_0.23.0-2+deb9u1.debian.tar.xz
2ad9b537b5411b98d4b8f80fb31badfc9e19409d7066c1502ece9b8b3c31f42f 12306 mpv_0.23.0-2+deb9u1_source.buildinfo
Files:
408d378b863a09c2940bd6d9b0819344 2964 video optional mpv_0.23.0-2+deb9u1.dsc
9bce377e101612d611daf2a5c99aa95f 2812103 video optional mpv_0.23.0.orig.tar.gz
5e50934c8a3ba252529f2c4ed7d73a04 101888 video optional mpv_0.23.0-2+deb9u1.debian.tar.xz
02e5cbea2de70342d8ce440f8d56273e 12306 video optional mpv_0.23.0-2+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlp6Qp8UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe+l5w//Ry8zeFIyEdUREOSNHpBrgi1eXr7/
lJ7NGFUMQmuMu5Uz7v+mZ8ef6ZowqxyXdm60jitb98MPHxa48B6hKv7Jr4WeXgOV
csmu4gDipK1c9fL8FDclSi6KICaEaw6nztAjwvjmkR6HBo7wHSiWzstZfjFqg31W
Jmu9eloWyjA7uzJ4S6uOgik2P8Zr23KJhcAavoJq9cqoDPwIXN5QgYJc8Zj3ZUa/
3L6ShpZzoGgddZoFm21DKM5o9Zjns8p5lcn/maL0TMlU/pg8rjKl4aIjC+7XU2fh
NSIbuWst8zrdXv2vITSBASZpLnbbg10BJ+mwgEbBz5YMorp4k+TjONKYkTjumeIL
pC/vt5VgzJMBLjYPvgaHKAiMHylG4NPmacmAszEUCvlRE5s7g4TtPSgzagZCPntJ
3FxUIRk8Z5f7b3Q39Mr5oUsrSqDS2D7XgGFbitm+QNf8E9LrAOHWkjTGtJ2pCWRk
nG0GgRQPcfZ7QR5PFfFYU8e+IQ+x9u2GoimSAD8ktKaP3KUEMbpcuzwWgaWvqbcm
EI5NWZWfHLTk8R6QOo+7E4Sypxy9AxDHpepl0YUZyRBOTPQxdotU1UYXVualwSDo
FR39YccnhfgqV4MPC1CbkzsY1iK5HNSg/eSg9DT26oETEn5CDb4rqbUdDh0U0izQ
jYcL1XnGt23NXB4=
=7h0a
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: