Bug#950816: mpv: unintended code execution vulnerability
Package: mpv
Version: 0.32.0-1
Severity: grave
Tags: security fixed-upstream
Justification: user security hole
Dear Maintainer,
If Lua scripts are enabled (they are by default) and configured for use
(Debian doesn't seem to have any active by default) mpv could end up
loading unintended code (lua scripts/bytecode and/or shared objects)
from the current working directory.
The following upstream commit supposedly fixes this:
https://github.com/mpv-player/mpv/commit/cce7062a8a6b6a3b3666aea3ff86db879cba67b6
Excerpt from the commit message:
lua: fix highly security relevant arbitrary code execution bug
It appears Lua's package paths try to load .lua files from the current
working directory. Not only that, but also shared libraries.
[...]
In mpv's case, this is so security relevant, because mpv is normally
used from the command line, and you will most likely actually change
into your media directory or whatever with the shell, and play a file
from there. No, you don't want to load a (probably downloaded) shared
library from this directory if a script try to load a system lib with
the same name or so.
I'm not sure why LUA_PATH_DEFAULT in luaconf.h (both upstream and the
Debian version) put "./?.lua" at the end, but in any case, trying to
load a module that doesn't exist nicely lists all package paths in
order, and confirms it tries to load files from the working directory
first (anyone can try this). Even if it didn't, this would be
problematic at best.
Note that scripts are not sandboxed. They're allowed to load system
libraries, which is also why we want to keep the non-idiotic parts of
the package paths.
[...]
mpv in default configuration (i.e. no external scripts) is probably not
affected. All builtin scripts only "require" preloaded modules, which,
in a stroke of genius by the Lua developers, are highest priority in the
load order. Otherwise, enjoy your semi-remote code execution bug.
[...]
Cheers.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mpv depends on:
ii libarchive13 3.4.0-1+b1
ii libasound2 1.2.1.2-2
ii libass9 1:0.14.0-2
ii libavcodec58 7:4.2.2-1
ii libavdevice58 7:4.2.2-1
ii libavfilter7 7:4.2.2-1
ii libavformat58 7:4.2.2-1
ii libavutil56 7:4.2.2-1
ii libbluray2 1:1.1.2-2
ii libc6 2.29-9
ii libcaca0 0.99.beta19-2.1
ii libcdio-cdda2 10.2+2.0.0-1+b1
ii libcdio-paranoia2 10.2+2.0.0-1+b1
ii libcdio18 2.0.0-2
ii libdrm2 2.4.100-4
ii libdvdnav4 6.0.1-1+b1
ii libegl1 1.3.0-7
ii libgbm1 19.3.3-1
ii libgl1 1.3.0-7
ii libjack-jackd2-0 [libjack-0.125] 1.9.12~dfsg-2+b1
ii libjpeg62-turbo 1:1.5.2-2+b1
ii liblcms2-2 2.9-4
ii liblua5.2-0 5.2.4-1.1+b3
ii libpulse0 13.0-4
ii librubberband2 1.8.2-1
ii libsdl2-2.0-0 2.0.10+dfsg1-1
ii libsmbclient 2:4.11.5+dfsg-1
ii libsndio7.0 1.5.0-3
ii libswresample3 7:4.2.2-1
ii libswscale5 7:4.2.2-1
ii libuchardet0 0.0.6-3
ii libva-drm2 2.6.1-1
ii libva-wayland2 2.6.1-1
ii libva-x11-2 2.6.1-1
ii libva2 2.6.1-1
ii libvdpau1 1.3-1
ii libwayland-client0 1.17.0-1+b1
ii libwayland-cursor0 1.17.0-1+b1
ii libwayland-egl1 1.17.0-1+b1
ii libx11-6 2:1.6.8-1
ii libxext6 2:1.3.3-1+b2
ii libxinerama1 2:1.1.4-2
ii libxkbcommon0 0.9.1-1
ii libxrandr2 2:1.5.1-1
ii libxss1 1:1.2.3-1
ii libxv1 2:1.0.11-1
ii zlib1g 1:1.2.11.dfsg-1.1
Versions of packages mpv recommends:
ii xdg-utils 1.1.3-1
ii youtube-dl 2020.01.24-0.1
mpv suggests no packages.
-- no debconf information
Reply to: