Your message dated Sun, 06 May 2018 22:35:16 +0000 with message-id <E1fFSFQ-000E4D-0w@fasolo.debian.org> and subject line Bug#890410: fixed in mpv 0.28.2-1 has caused the Debian Bug report #890410, regarding mpv: fix for CVE-2018-6360 overlooks subtitles to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 890410: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890410 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: mpv: fix for CVE-2018-6360 overlooks subtitles
- From: James Cowgill <jcowgill@debian.org>
- Date: Wed, 14 Feb 2018 13:38:55 +0000
- Message-id: <9a284b19-f891-c227-e548-f7b5c4657a59@debian.org>
Package: mpv Version: 0.23.0-1 Severity: grave Tags: security upstream Yet another bug relating to the fix for CVE-2018-6360... This time the bug is not a regression, but a mistake upstream made when writing the original patch. Upstream overlooked the handling of subtitle URLs which were not protected. Upstream has released 0.27.2 and 0.28.2 to fix these. I think the bug affects 0.23 as well (but I have not yet checked). Possibly this warrants a new CVE number. Upstream commit: https://github.com/mpv-player/mpv/commit/3e71eb8676de53a05f51b987d294e7d2fa0a5bc1 JamesAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 890410-close@bugs.debian.org
- Subject: Bug#890410: fixed in mpv 0.28.2-1
- From: James Cowgill <jcowgill@debian.org>
- Date: Sun, 06 May 2018 22:35:16 +0000
- Message-id: <E1fFSFQ-000E4D-0w@fasolo.debian.org>
Source: mpv Source-Version: 0.28.2-1 We believe that the bug you reported is fixed in the latest version of mpv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 890410@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowgill@debian.org> (supplier of updated mpv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 06 May 2018 23:20:25 +0100 Source: mpv Binary: mpv libmpv1 libmpv-dev Architecture: source Version: 0.28.2-1 Distribution: experimental Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Changed-By: James Cowgill <jcowgill@debian.org> Description: libmpv-dev - video player based on MPlayer/mplayer2 (client library dev files) libmpv1 - video player based on MPlayer/mplayer2 (client library) mpv - video player based on MPlayer/mplayer2 Closes: 890410 898080 Changes: mpv (0.28.2-1) experimental; urgency=medium . * New upstream bugfix release. - Also whitelist subtitle URLs in youtube-dl hook. (Closes: #890410) . * debian/rules: - Build-Depend on ffmpeg 4.0. (Closes: #898080) * debian/patches: - Drop patch for CVE-2018-6360 - fixed upstream. - Fix typo in 06_ffmpeg-abi.patch description. Checksums-Sha1: 4e4c110e40faff869cd8d937ed4ffb36cbd40da2 2851 mpv_0.28.2-1.dsc 2dfc6a68ee5d99ff510e417d60ff939ddf9ec08f 2982558 mpv_0.28.2.orig.tar.gz c8bfcda069e64b63ec10c437e2c228afcb433900 104364 mpv_0.28.2-1.debian.tar.xz d6c41695b9f0bb7149bdab47a605b7393f26c6bd 8520 mpv_0.28.2-1_source.buildinfo Checksums-Sha256: 79df9099b6fb22222f7e5cd2fd7eca03f683c28442bb6adb714c831f8c2c5526 2851 mpv_0.28.2-1.dsc aada14e025317b5b3e8e58ffaf7902e8b6e4ec347a93d25a7c10d3579426d795 2982558 mpv_0.28.2.orig.tar.gz 9ea30ec54aa40deb4647d2e51c683120a0255bef0cd280eca1269d6034317b44 104364 mpv_0.28.2-1.debian.tar.xz c48e8c7e9f051e4e2faa35c7a5fd89b09067a3435deb3b66edfec51165af8a78 8520 mpv_0.28.2-1_source.buildinfo Files: 0e97c47b82f649dfea1b420ecf392af1 2851 video optional mpv_0.28.2-1.dsc b6538dec29a2a69574f4e3a3d688fb8b 2982558 video optional mpv_0.28.2.orig.tar.gz c9f681d927167362d21722584f24eba4 104364 video optional mpv_0.28.2-1.debian.tar.xz 6ddd9a1cd858a25ae1fe9e51132e4cf2 8520 video optional mpv_0.28.2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlrvgQcUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe9RwxAAk/NiIMGXWnBvw91YGcIaiWQIwped xrXJXJte7vPj1m+LI7bPRUh6EIFMB5qDGpHsyRdvqqO+y/T6/PhNl99/HYPNtiDP uMx0FBxaCSOabwRDUO9s2hUJmxo2uRyWDigFJAvjFpK1N28AZMbKDRM1ICOJfHtX tEVWPnM09wy4EiLT0dlLfMqqAI6ynqhYSOw/xnG+dBXNdIseoTPlQTj9bm12duQ+ K84z/Swrdje7G4FwKo/UglSGm4QMWRoTYY4nxLTMQD/YeGCVFnKKXjGbPjmW/aTq DmgkDbzCqgc+U77+utpCw4IfM75KEWJZVpb69U0Z17IFA/UGcYhUxi9vNoi2STfy AaJZHhyiS7W96XG5ls0e9mJN2TScO/QcGili3gTbDKDkbN9fNLjm+0QHqf9KS9sr dGhHIZbOuaGvxl3i1xPcOwTZTYzBr6KOHClNVHMYGmIcoJGmuKXwbAmlG0SZKnuz DtUzJ+0LPD2rX9OF+zDtI5LXOQCe9Bb1QT2ORUowJ7a7U+RkliOJCcaI6LGfuycK NpPf1DcQg3ZNs9t4VefF+wZ2IyBtsjikcdCBY1//vwAObREvzH4Bt0YomHuwFKSy VJLHpc5s4qXxxfGznJiEN4Hgd0HF9GvWtOZA7MI0PWauiNHmWrmEw1glXdz2mEk7 B5CsLOt7A6Bl7fg= =7a6G -----END PGP SIGNATURE-----
--- End Message ---