Bug#950816: Acknowledgement (mpv: unintended code execution vulnerability)
astian:
> If Lua scripts are enabled (they are by default) and configured for use
> (Debian doesn't seem to have any active by default)
Correction: mpv as shipped by Debian does have some active Lua scripts
embedded in the ELF binary, but, as the author says in the quoted commit, they
'only "require" preloaded modules':
$ strings /usr/bin/mpv | grep 'require '
require '%s'
local msg = require 'mp.msg'
local assdraw = require 'mp.assdraw'
local msg = require 'mp.msg'
local opt = require 'mp.options'
local utils = require 'mp.utils'
local utils = require 'mp.utils'
local msg = require 'mp.msg'
local options = require 'mp.options'
local mp = require 'mp'
local options = require 'mp.options'
local utils = require 'mp.utils'
local utils = require 'mp.utils'
local options = require 'mp.options'
local assdraw = require 'mp.assdraw'
That "require '%s'" looks suspicious but it seems to be only called precisely
for those "built-in" Lua modules.
Cheers.
Reply to: