community/mpv: security fix CVE-2018-6360

2025-08-05 21:37:15 +02:00 · 2018-02-07 14:59:05 +00:00 · 2018-02-07 14:59:05 +00:00 · cb35795acc
commit cb35795acc
parent f6dbda6d21
2 changed files with 115 additions and 3 deletions
--- a/community/mpv/APKBUILD
+++ b/community/mpv/APKBUILD
@ -5,7 +5,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mpv
 pkgver=0.27.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Video player based on MPlayer/mplayer2"
 url="https://mpv.io/"
 arch="all"
@ -20,9 +20,15 @@ subpackages="
 	$pkgname-libs
 	$pkgname-zsh-completion:zshcomp:noarch"
 source="$pkgname-$pkgver.tar.gz::https://github.com/mpv-player/$pkgname/archive/v$pkgver.tar.gz
-	fix-libva2.patch"
+	fix-libva2.patch
+	CVE-2018-6360.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"

+# secfixes:
+#   0.27.0-r3:
+#     - CVE-2018-6360
+
 prepare() {
 	default_prepare

@ -69,4 +75,5 @@ zshcomp() {
 }

 sha512sums="22738f907d84d362095773972f685e3b03ab4c8172a22ddede290fc221a83ab9135b96f8b18191dabe842b2963f68983929cf065097287fc1a054a7d5f1d0ae4  mpv-0.27.0.tar.gz
-43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84  fix-libva2.patch"
+43e89cf7e939cc30c4a70172f06d652005a251350dfc9335d51dde981f177b656bf3cf8f3eaa1a2b19fc563e9a09f6e32843eff2105fab7e3d9e10f3b2245f84  fix-libva2.patch
+59418020e66b48d27e8822fe2ccab9bb61a2a8fe0becb4bcadd8580f58785ab1d568f62af0edda43e3dab7ed76bb607ce6e6ced64cd2bda5fc2c346c1a0d9f13  CVE-2018-6360.patch"
--- a/community/mpv/CVE-2018-6360.patch
+++ b/community/mpv/CVE-2018-6360.patch
@ -0,0 +1,105 @@
+Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl
+ This patch is a combination of these upstream commits:
+ - e6e6b0dcc7e9 ("ytdl_hook: whitelist protocols from urls retrieved from
+   youtube-dl")
+ - f8263e82cc74 ("ytdl_hook: move url_is_safe earlier in code")
+ - ce42a965330d ("ytdl_hook: fix safe url checking with EDL urls")
+ .
+ jcowgill: backported to 0.27
+ Fixes CVE-2018-6360
+Author: Ricardo Constantino <wiiaboo@gmail.com>
+Bug: https://github.com/mpv-player/mpv/issues/5456
+Bug-Debian: https://bugs.debian.org/888654
+Applied-Upstream: v0.29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+--- a/player/lua/ytdl_hook.lua
+++ b/player/lua/ytdl_hook.lua
+@@ -15,6 +15,18 @@ local ytdl = {
+ 
+ local chapter_list = {}
+ 
+function Set (t)
+    local set = {}
+    for _, v in pairs(t) do set[v] = true end
+    return set
+end
+
+local safe_protos = Set {
+    "http", "https", "ftp", "ftps",
+    "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
+    "data"
+}
+
+ local function exec(args)
+     local ret = utils.subprocess({args = args})
+     return ret.status, ret.stdout, ret
+@@ -71,6 +83,15 @@ local function edl_escape(url)
+     return "%" .. string.len(url) .. "%" .. url
+ end
+ 
+local function url_is_safe(url)
+    local proto = type(url) == "string" and url:match("^(.+)://") or nil
+    local safe = proto and safe_protos[proto]
+    if not safe then
+        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
+    end
+    return safe
+end
+
+ local function time_to_secs(time_string)
+     local ret
+ 
+@@ -182,6 +203,9 @@ local function edl_track_joined(fragment
+ 
+     for i = offset, #fragments do
+         local fragment = fragments[i]
+        if not url_is_safe(join_url(base, fragment)) then
+            return nil
+        end
+         table.insert(parts, edl_escape(join_url(base, fragment)))
+         if fragment.duration then
+             parts[#parts] =
+@@ -201,6 +225,9 @@ local function add_single_video(json)
+             edl_track = edl_track_joined(track.fragments,
+                 track.protocol, json.is_live,
+                 track.fragment_base_url)
+            if not edl_track and not url_is_safe(track.url) then
+                return
+            end
+             if track.acodec and track.acodec ~= "none" then
+                 -- audio track
+                 mp.commandv("audio-add",
+@@ -217,6 +244,9 @@ local function add_single_video(json)
+         edl_track = edl_track_joined(json.fragments, json.protocol,
+             json.is_live, json.fragment_base_url)
+ 
+        if not edl_track and not url_is_safe(json.url) then
+            return
+        end
+         -- normal video or single track
+         streamurl = edl_track or json.url
+         set_http_headers(json.http_headers)
+@@ -408,6 +438,10 @@ mp.add_hook("on_load", 10, function ()
+ 
+                 msg.debug("EDL: " .. playlist)
+ 
+                if not playlist then
+                    return
+                end
+
+                 -- can't change the http headers for each entry, so use the 1st
+                 if json.entries[1] then
+                     set_http_headers(json.entries[1].http_headers)
+@@ -475,7 +509,9 @@ mp.add_hook("on_load", 10, function ()
+                         site = entry["webpage_url"]
+                     end
+ 
+-                    playlist = playlist .. "ytdl://" .. site .. "\n"
+                    if url_is_safe(site) then
+                        playlist = playlist .. "ytdl://" .. site .. "\n"
+                    end
+                 end
+ 
+                 mp.set_property("stream-open-filename", "memory://" .. playlist)