Bug#950816: Acknowledgement (mpv: unintended code execution vulnerability)

[astian <astian@e-nautia.com>]

astian:
> If Lua scripts are enabled (they are by default) and configured for use
> (Debian doesn't seem to have any active by default)

Correction: mpv as shipped by Debian does have some active Lua scripts
embedded in the ELF binary, but, as the author says in the quoted commit, they
'only "require" preloaded modules':

  $ strings /usr/bin/mpv | grep 'require '
  require '%s'
  local msg = require 'mp.msg'
  local assdraw = require 'mp.assdraw'
  local msg = require 'mp.msg'
  local opt = require 'mp.options'
  local utils = require 'mp.utils'
  local utils = require 'mp.utils'
  local msg = require 'mp.msg'
  local options = require 'mp.options'
  local mp = require 'mp'
  local options = require 'mp.options'
  local utils = require 'mp.utils'
  local utils = require 'mp.utils'
  local options = require 'mp.options'
  local assdraw = require 'mp.assdraw'

That "require '%s'" looks suspicious but it seems to be only called precisely
for those "built-in" Lua modules.

Cheers.