Bug#950816: marked as done (mpv: unintended code execution vulnerability)

To: Reinhard Tartler <siretart@tauware.de>
Subject: Bug#950816: marked as done (mpv: unintended code execution vulnerability)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 18 Jul 2020 22:51:05 +0000
Message-id: <[🔎] handler.950816.D950816.159511256515983.ackdone@bugs.debian.org>
Reply-to: 950816@bugs.debian.org
References: <E1jwvdz-000HDn-4b@fasolo.debian.org> <039de7c4-6c1f-d237-d34f-fe9cedd17633@e-nautia.com>

Your message dated Sat, 18 Jul 2020 22:49:23 +0000
with message-id <E1jwvdz-000HDn-4b@fasolo.debian.org>
and subject line Bug#950816: fixed in mpv 0.32.0-2
has caused the Debian Bug report #950816,
regarding mpv: unintended code execution vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
950816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950816
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mpv: unintended code execution vulnerability
From: astian <astian@e-nautia.com>
Date: Thu, 6 Feb 2020 21:32:33 +0000
Message-id: <039de7c4-6c1f-d237-d34f-fe9cedd17633@e-nautia.com>

Package: mpv
Version: 0.32.0-1
Severity: grave
Tags: security fixed-upstream
Justification: user security hole

Dear Maintainer,

If Lua scripts are enabled (they are by default) and configured for use
(Debian doesn't seem to have any active by default) mpv could end up
loading unintended code (lua scripts/bytecode and/or shared objects)
from the current working directory.

The following upstream commit supposedly fixes this:
https://github.com/mpv-player/mpv/commit/cce7062a8a6b6a3b3666aea3ff86db879cba67b6

Excerpt from the commit message:

  lua: fix highly security relevant arbitrary code execution bug

  It appears Lua's package paths try to load .lua files from the current
  working directory. Not only that, but also shared libraries.

  [...]

  In mpv's case, this is so security relevant, because mpv is normally
  used from the command line, and you will most likely actually change
  into your media directory or whatever with the shell, and play a file
  from there. No, you don't want to load a (probably downloaded) shared
  library from this directory if a script try to load a system lib with
  the same name or so.

  I'm not sure why LUA_PATH_DEFAULT in luaconf.h (both upstream and the
  Debian version) put "./?.lua" at the end, but in any case, trying to
  load a module that doesn't exist nicely lists all package paths in
  order, and confirms it tries to load files from the working directory
  first (anyone can try this). Even if it didn't, this would be
  problematic at best.

  Note that scripts are not sandboxed. They're allowed to load system
  libraries, which is also why we want to keep the non-idiotic parts of
  the package paths.

  [...]

  mpv in default configuration (i.e. no external scripts) is probably not
  affected. All builtin scripts only "require" preloaded modules, which,
  in a stroke of genius by the Lua developers, are highest priority in the
  load order. Otherwise, enjoy your semi-remote code execution bug.

  [...]

Cheers.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mpv depends on:
ii  libarchive13                      3.4.0-1+b1
ii  libasound2                        1.2.1.2-2
ii  libass9                           1:0.14.0-2
ii  libavcodec58                      7:4.2.2-1
ii  libavdevice58                     7:4.2.2-1
ii  libavfilter7                      7:4.2.2-1
ii  libavformat58                     7:4.2.2-1
ii  libavutil56                       7:4.2.2-1
ii  libbluray2                        1:1.1.2-2
ii  libc6                             2.29-9
ii  libcaca0                          0.99.beta19-2.1
ii  libcdio-cdda2                     10.2+2.0.0-1+b1
ii  libcdio-paranoia2                 10.2+2.0.0-1+b1
ii  libcdio18                         2.0.0-2
ii  libdrm2                           2.4.100-4
ii  libdvdnav4                        6.0.1-1+b1
ii  libegl1                           1.3.0-7
ii  libgbm1                           19.3.3-1
ii  libgl1                            1.3.0-7
ii  libjack-jackd2-0 [libjack-0.125]  1.9.12~dfsg-2+b1
ii  libjpeg62-turbo                   1:1.5.2-2+b1
ii  liblcms2-2                        2.9-4
ii  liblua5.2-0                       5.2.4-1.1+b3
ii  libpulse0                         13.0-4
ii  librubberband2                    1.8.2-1
ii  libsdl2-2.0-0                     2.0.10+dfsg1-1
ii  libsmbclient                      2:4.11.5+dfsg-1
ii  libsndio7.0                       1.5.0-3
ii  libswresample3                    7:4.2.2-1
ii  libswscale5                       7:4.2.2-1
ii  libuchardet0                      0.0.6-3
ii  libva-drm2                        2.6.1-1
ii  libva-wayland2                    2.6.1-1
ii  libva-x11-2                       2.6.1-1
ii  libva2                            2.6.1-1
ii  libvdpau1                         1.3-1
ii  libwayland-client0                1.17.0-1+b1
ii  libwayland-cursor0                1.17.0-1+b1
ii  libwayland-egl1                   1.17.0-1+b1
ii  libx11-6                          2:1.6.8-1
ii  libxext6                          2:1.3.3-1+b2
ii  libxinerama1                      2:1.1.4-2
ii  libxkbcommon0                     0.9.1-1
ii  libxrandr2                        2:1.5.1-1
ii  libxss1                           1:1.2.3-1
ii  libxv1                            2:1.0.11-1
ii  zlib1g                            1:1.2.11.dfsg-1.1

Versions of packages mpv recommends:
ii  xdg-utils   1.1.3-1
ii  youtube-dl  2020.01.24-0.1

mpv suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 950816-close@bugs.debian.org
Subject: Bug#950816: fixed in mpv 0.32.0-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 18 Jul 2020 22:49:23 +0000
Message-id: <E1jwvdz-000HDn-4b@fasolo.debian.org>
Reply-to: Reinhard Tartler <siretart@tauware.de>

Source: mpv
Source-Version: 0.32.0-2
Done: Reinhard Tartler <siretart@tauware.de>

We believe that the bug you reported is fixed in the latest version of
mpv, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 950816@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated mpv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Jul 2020 18:01:43 -0400
Source: mpv
Architecture: source
Version: 0.32.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 950816
Changes:
 mpv (0.32.0-2) unstable; urgency=medium
 .
   * Bug fix: "unintended code execution vulnerability", thanks to astian
     (Closes: #950816). Patch backported from upstream
Checksums-Sha1:
 2f8162366f112c882e0a20ad3f1872dd14f473fb 2981 mpv_0.32.0-2.dsc
 6e17602575954836f8778029396358484ec6254e 108264 mpv_0.32.0-2.debian.tar.xz
Checksums-Sha256:
 3f2b2b6391e141dd0376a109c6bb04971cdf2f9414d02ceee0e40ba3f4f6dbc1 2981 mpv_0.32.0-2.dsc
 2470a0429811a08241b851df10ac0a54bde92e396be2ec43b73d0b8e149ed165 108264 mpv_0.32.0-2.debian.tar.xz
Files:
 ff897a23d41737dc7a66e3f0212c019c 2981 video optional mpv_0.32.0-2.dsc
 1fd61d5969801931909049aaee3924f1 108264 video optional mpv_0.32.0-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAl8TeY4UHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJstW8A/+LhALQ4w0S0mjUISuWugfBF4mUzzR
K3Yz3ueFzbgWxS2GTKiFXlube/vmvP6CZL2NJqtmoxxDD4YpUIRLlJH8Mx/+vXbh
hfjoaEF2/A0NxmUqlsodCVbIg/dnYPFIIeEytRNedldLtXz9vos/fQP/qwu35ctf
nUVa55ixIQ9UUZFySxFLRwCLmJ5qeTqu7s/6y9Jtqd6An4TjI2oG+fg+GEx+Fx8G
xcciRgfm4tmyZADQGYiYILaCkYVma/b/182AI7nLmGQeqTmT16VVEIgki9P7C46v
M0VLGcT8URR5d6nNU22PjsYVmPTNxDIgyhUNr2qdc6jRXWoF8QL5HUb9mlzfuB9Z
VTgYaLpbqmJCndCSpV9S1MsiK0UfG/LeyUWl5WzrtC4tXiDtoE8Y3kOr3+IoPkLZ
MjIi1/RjJ0kLKIJTRaT4IesBn/HT5wzYDhFYw1NOJjFaIS1DhdobX+6L3vXnvHem
2yaX8gQfK9Bs7n12wGfr5bYopv2eTklc1NP3gYeuuB0NapTNFgbMV9qvpFE8m7P5
mO3GnTUN2UkcNUvoqac77t8mlSCdJOAbmY1vSrLTTv0HSideu54iUikJ4F2r1r/Y
zfJBU02Vx8XREKRdvDCv/eDVoQxjzaUt7MqmRem/YIGOSMzEdSPpMkuOwTgmvDuw
RmDv1fB+D4eQ59A=
=gSpU
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#922400: seems to be a NVIDIA vdpau issue
Next by Date: Processing of mpv_0.32.0-2_source.changes
Previous by thread: Processed (with 1 error): seems to be a NVIDIA vdpau issue
Next by thread: Processing of mpv_0.32.0-2_source.changes
Index(es):
- Date
- Thread