aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/packages/patches/mpv-CVE-2018-6360-1.patch138
-rw-r--r--gnu/packages/patches/mpv-CVE-2018-6360-2.patch59
-rw-r--r--gnu/packages/patches/mpv-CVE-2018-6360-3.patch84
-rw-r--r--gnu/packages/video.scm7
4 files changed, 2 insertions, 286 deletions
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
deleted file mode 100644
index 55fc7daaf3..0000000000
--- a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-Fix CVE-2018-6360:
-
-https://github.com/mpv-player/mpv/issues/5456
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
-https://security-tracker.debian.org/tracker/CVE-2018-6360
-
-Patch copied from upstream source repository:
-
-https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
-
-To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4
-checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available
-for the 0.28.0 release. So it should be safe to remove hunk #4.
-
-From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001
-From: Ricardo Constantino <wiiaboo@gmail.com>
-Date: Fri, 26 Jan 2018 01:19:04 +0000
-Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from
- youtube-dl
-
-Not very clean since there's a lot of potential unsafe urls that youtube-dl
-can give us, depending on whether it's a single url, split tracks,
-playlists, segmented dash, etc.
----
- player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 47 insertions(+), 7 deletions(-)
-
-diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
-index dd96ecc01d..b480c21625 100644
---- a/player/lua/ytdl_hook.lua
-+++ b/player/lua/ytdl_hook.lua
-@@ -16,6 +16,18 @@ local ytdl = {
-
- local chapter_list = {}
-
-+function Set (t)
-+ local set = {}
-+ for _, v in pairs(t) do set[v] = true end
-+ return set
-+end
-+
-+local safe_protos = Set {
-+ "http", "https", "ftp", "ftps",
-+ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
-+ "data"
-+}
-+
- local function exec(args)
- local ret = utils.subprocess({args = args})
- return ret.status, ret.stdout, ret
-@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)
-
- for i = offset, #fragments do
- local fragment = fragments[i]
-+ if not url_is_safe(join_url(base, fragment)) then
-+ return nil
-+ end
- table.insert(parts, edl_escape(join_url(base, fragment)))
- if fragment.duration then
- parts[#parts] =
-@@ -208,6 +223,15 @@ local function proto_is_dash(json)
- or json["protocol"] == "http_dash_segments"
- end
-
-+local function url_is_safe(url)
-+ local proto = type(url) == "string" and url:match("^(.+)://") or nil
-+ local safe = proto and safe_protos[proto]
-+ if not safe then
-+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
-+ end
-+ return safe
-+end
-+
- local function add_single_video(json)
- local streamurl = ""
- local max_bitrate = 0
-@@ -238,14 +264,18 @@ local function add_single_video(json)
- edl_track = edl_track_joined(track.fragments,
- track.protocol, json.is_live,
- track.fragment_base_url)
-+ local url = edl_track or track.url
-+ if not url_is_safe(url) then
-+ return
-+ end
- if track.acodec and track.acodec ~= "none" then
- -- audio track
- mp.commandv("audio-add",
-- edl_track or track.url, "auto",
-+ url, "auto",
- track.format_note or "")
- elseif track.vcodec and track.vcodec ~= "none" then
- -- video track
-- streamurl = edl_track or track.url
-+ streamurl = url
- end
- end
-
-@@ -264,7 +294,13 @@ local function add_single_video(json)
-
- msg.debug("streamurl: " .. streamurl)
-
-- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
-+ streamurl = streamurl:gsub("^data:", "data://", 1)
-+
-+ if not url_is_safe(streamurl) then
-+ return
-+ end
-+
-+ mp.set_property("stream-open-filename", streamurl)
-
- mp.set_property("file-local-options/force-media-title", json.title)
-
-@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
- site = entry["webpage_url"]
- end
-
-- if not (site:find("https?://") == 1) then
-- site = "ytdl://" .. site
-+ -- links with only youtube id as returned by --flat-playlist
-+ if not site:find("://") then
-+ table.insert(playlist, "ytdl://" .. site)
-+ elseif url_is_safe(site) then
-+ table.insert(playlist, site)
- end
-- table.insert(playlist, site)
-
- end
-
-- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
-+ if #playlist > 0 then
-+ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
-+ end
- end
-
- else -- probably a video
---
-2.16.1
-
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
deleted file mode 100644
index b37e33a641..0000000000
--- a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-Fix CVE-2018-6360:
-
-https://github.com/mpv-player/mpv/issues/5456
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
-https://security-tracker.debian.org/tracker/CVE-2018-6360
-
-Patch copied from upstream source repository:
-
-https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
-
-From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
-From: Ricardo Constantino <wiiaboo@gmail.com>
-Date: Fri, 26 Jan 2018 11:26:27 +0000
-Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
-
-lua isn't javascript.
----
- player/lua/ytdl_hook.lua | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
-index b480c21625..458c94af38 100644
---- a/player/lua/ytdl_hook.lua
-+++ b/player/lua/ytdl_hook.lua
-@@ -84,6 +84,15 @@ local function edl_escape(url)
- return "%" .. string.len(url) .. "%" .. url
- end
-
-+local function url_is_safe(url)
-+ local proto = type(url) == "string" and url:match("^(.+)://") or nil
-+ local safe = proto and safe_protos[proto]
-+ if not safe then
-+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
-+ end
-+ return safe
-+end
-+
- local function time_to_secs(time_string)
- local ret
-
-@@ -223,15 +232,6 @@ local function proto_is_dash(json)
- or json["protocol"] == "http_dash_segments"
- end
-
--local function url_is_safe(url)
-- local proto = type(url) == "string" and url:match("^(.+)://") or nil
-- local safe = proto and safe_protos[proto]
-- if not safe then
-- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
-- end
-- return safe
--end
--
- local function add_single_video(json)
- local streamurl = ""
- local max_bitrate = 0
---
-2.16.1
-
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
deleted file mode 100644
index dc3e272d37..0000000000
--- a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-Fix CVE-2018-6360:
-
-https://github.com/mpv-player/mpv/issues/5456
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
-https://security-tracker.debian.org/tracker/CVE-2018-6360
-
-Patch copied from upstream source repository:
-
-https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828
-
-From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001
-From: Ricardo Constantino <wiiaboo@gmail.com>
-Date: Fri, 26 Jan 2018 18:54:17 +0000
-Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls
-
----
- player/lua/ytdl_hook.lua | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
-index 458c94af38..6c8e78657d 100644
---- a/player/lua/ytdl_hook.lua
-+++ b/player/lua/ytdl_hook.lua
-@@ -264,18 +264,17 @@ local function add_single_video(json)
- edl_track = edl_track_joined(track.fragments,
- track.protocol, json.is_live,
- track.fragment_base_url)
-- local url = edl_track or track.url
-- if not url_is_safe(url) then
-+ if not edl_track and not url_is_safe(track.url) then
- return
- end
- if track.acodec and track.acodec ~= "none" then
- -- audio track
- mp.commandv("audio-add",
-- url, "auto",
-+ edl_track or track.url, "auto",
- track.format_note or "")
- elseif track.vcodec and track.vcodec ~= "none" then
- -- video track
-- streamurl = url
-+ streamurl = edl_track or track.url
- end
- end
-
-@@ -284,6 +283,9 @@ local function add_single_video(json)
- edl_track = edl_track_joined(json.fragments, json.protocol,
- json.is_live, json.fragment_base_url)
-
-+ if not edl_track and not url_is_safe(json.url) then
-+ return
-+ end
- -- normal video or single track
- streamurl = edl_track or json.url
- set_http_headers(json.http_headers)
-@@ -294,13 +296,7 @@ local function add_single_video(json)
-
- msg.debug("streamurl: " .. streamurl)
-
-- streamurl = streamurl:gsub("^data:", "data://", 1)
--
-- if not url_is_safe(streamurl) then
-- return
-- end
--
-- mp.set_property("stream-open-filename", streamurl)
-+ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
-
- mp.set_property("file-local-options/force-media-title", json.title)
-
-@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
-
- msg.debug("EDL: " .. playlist)
-
-+ if not playlist then
-+ return
-+ end
-+
- -- can't change the http headers for each entry, so use the 1st
- if json.entries[1] then
- set_http_headers(json.entries[1].http_headers)
---
-2.16.1
-
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 988ed5c7fd..6adce7ba10 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1009,7 +1009,7 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.")
(define-public mpv
(package
(name "mpv")
- (version "0.28.0")
+ (version "0.28.1")
(source (origin
(method url-fetch)
(uri (string-append
@@ -1017,10 +1017,7 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.")
".tar.gz"))
(sha256
(base32
- "1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f"))
- (patches (search-patches "mpv-CVE-2018-6360-1.patch"
- "mpv-CVE-2018-6360-2.patch"
- "mpv-CVE-2018-6360-3.patch"))
+ "1i1czric6dhbwvyxamzrnwjwsznrn9cpzp6m0m6aahiwpbfbl282"))
(file-name (string-append name "-" version ".tar.gz"))))
(build-system waf-build-system)
(native-inputs