diff options
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 138 | ||||
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 59 | ||||
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 84 | ||||
-rw-r--r-- | gnu/packages/video.scm | 7 |
4 files changed, 2 insertions, 286 deletions
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch deleted file mode 100644 index 55fc7daaf3..0000000000 --- a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch +++ /dev/null @@ -1,138 +0,0 @@ -Fix CVE-2018-6360: - -https://github.com/mpv-player/mpv/issues/5456 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 -https://security-tracker.debian.org/tracker/CVE-2018-6360 - -Patch copied from upstream source repository: - -https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 - -To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4 -checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available -for the 0.28.0 release. So it should be safe to remove hunk #4. - -From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001 -From: Ricardo Constantino <wiiaboo@gmail.com> -Date: Fri, 26 Jan 2018 01:19:04 +0000 -Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from - youtube-dl - -Not very clean since there's a lot of potential unsafe urls that youtube-dl -can give us, depending on whether it's a single url, split tracks, -playlists, segmented dash, etc. ---- - player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 47 insertions(+), 7 deletions(-) - -diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua -index dd96ecc01d..b480c21625 100644 ---- a/player/lua/ytdl_hook.lua -+++ b/player/lua/ytdl_hook.lua -@@ -16,6 +16,18 @@ local ytdl = { - - local chapter_list = {} - -+function Set (t) -+ local set = {} -+ for _, v in pairs(t) do set[v] = true end -+ return set -+end -+ -+local safe_protos = Set { -+ "http", "https", "ftp", "ftps", -+ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte", -+ "data" -+} -+ - local function exec(args) - local ret = utils.subprocess({args = args}) - return ret.status, ret.stdout, ret -@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base) - - for i = offset, #fragments do - local fragment = fragments[i] -+ if not url_is_safe(join_url(base, fragment)) then -+ return nil -+ end - table.insert(parts, edl_escape(join_url(base, fragment))) - if fragment.duration then - parts[#parts] = -@@ -208,6 +223,15 @@ local function proto_is_dash(json) - or json["protocol"] == "http_dash_segments" - end - -+local function url_is_safe(url) -+ local proto = type(url) == "string" and url:match("^(.+)://") or nil -+ local safe = proto and safe_protos[proto] -+ if not safe then -+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) -+ end -+ return safe -+end -+ - local function add_single_video(json) - local streamurl = "" - local max_bitrate = 0 -@@ -238,14 +264,18 @@ local function add_single_video(json) - edl_track = edl_track_joined(track.fragments, - track.protocol, json.is_live, - track.fragment_base_url) -+ local url = edl_track or track.url -+ if not url_is_safe(url) then -+ return -+ end - if track.acodec and track.acodec ~= "none" then - -- audio track - mp.commandv("audio-add", -- edl_track or track.url, "auto", -+ url, "auto", - track.format_note or "") - elseif track.vcodec and track.vcodec ~= "none" then - -- video track -- streamurl = edl_track or track.url -+ streamurl = url - end - end - -@@ -264,7 +294,13 @@ local function add_single_video(json) - - msg.debug("streamurl: " .. streamurl) - -- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) -+ streamurl = streamurl:gsub("^data:", "data://", 1) -+ -+ if not url_is_safe(streamurl) then -+ return -+ end -+ -+ mp.set_property("stream-open-filename", streamurl) - - mp.set_property("file-local-options/force-media-title", json.title) - -@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () - site = entry["webpage_url"] - end - -- if not (site:find("https?://") == 1) then -- site = "ytdl://" .. site -+ -- links with only youtube id as returned by --flat-playlist -+ if not site:find("://") then -+ table.insert(playlist, "ytdl://" .. site) -+ elseif url_is_safe(site) then -+ table.insert(playlist, site) - end -- table.insert(playlist, site) - - end - -- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n")) -+ if #playlist > 0 then -+ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n")) -+ end - end - - else -- probably a video --- -2.16.1 - diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch deleted file mode 100644 index b37e33a641..0000000000 --- a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch +++ /dev/null @@ -1,59 +0,0 @@ -Fix CVE-2018-6360: - -https://github.com/mpv-player/mpv/issues/5456 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 -https://security-tracker.debian.org/tracker/CVE-2018-6360 - -Patch copied from upstream source repository: - -https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f - -From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001 -From: Ricardo Constantino <wiiaboo@gmail.com> -Date: Fri, 26 Jan 2018 11:26:27 +0000 -Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code - -lua isn't javascript. ---- - player/lua/ytdl_hook.lua | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua -index b480c21625..458c94af38 100644 ---- a/player/lua/ytdl_hook.lua -+++ b/player/lua/ytdl_hook.lua -@@ -84,6 +84,15 @@ local function edl_escape(url) - return "%" .. string.len(url) .. "%" .. url - end - -+local function url_is_safe(url) -+ local proto = type(url) == "string" and url:match("^(.+)://") or nil -+ local safe = proto and safe_protos[proto] -+ if not safe then -+ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) -+ end -+ return safe -+end -+ - local function time_to_secs(time_string) - local ret - -@@ -223,15 +232,6 @@ local function proto_is_dash(json) - or json["protocol"] == "http_dash_segments" - end - --local function url_is_safe(url) -- local proto = type(url) == "string" and url:match("^(.+)://") or nil -- local safe = proto and safe_protos[proto] -- if not safe then -- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) -- end -- return safe --end -- - local function add_single_video(json) - local streamurl = "" - local max_bitrate = 0 --- -2.16.1 - diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch deleted file mode 100644 index dc3e272d37..0000000000 --- a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch +++ /dev/null @@ -1,84 +0,0 @@ -Fix CVE-2018-6360: - -https://github.com/mpv-player/mpv/issues/5456 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 -https://security-tracker.debian.org/tracker/CVE-2018-6360 - -Patch copied from upstream source repository: - -https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828 - -From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001 -From: Ricardo Constantino <wiiaboo@gmail.com> -Date: Fri, 26 Jan 2018 18:54:17 +0000 -Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls - ---- - player/lua/ytdl_hook.lua | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua -index 458c94af38..6c8e78657d 100644 ---- a/player/lua/ytdl_hook.lua -+++ b/player/lua/ytdl_hook.lua -@@ -264,18 +264,17 @@ local function add_single_video(json) - edl_track = edl_track_joined(track.fragments, - track.protocol, json.is_live, - track.fragment_base_url) -- local url = edl_track or track.url -- if not url_is_safe(url) then -+ if not edl_track and not url_is_safe(track.url) then - return - end - if track.acodec and track.acodec ~= "none" then - -- audio track - mp.commandv("audio-add", -- url, "auto", -+ edl_track or track.url, "auto", - track.format_note or "") - elseif track.vcodec and track.vcodec ~= "none" then - -- video track -- streamurl = url -+ streamurl = edl_track or track.url - end - end - -@@ -284,6 +283,9 @@ local function add_single_video(json) - edl_track = edl_track_joined(json.fragments, json.protocol, - json.is_live, json.fragment_base_url) - -+ if not edl_track and not url_is_safe(json.url) then -+ return -+ end - -- normal video or single track - streamurl = edl_track or json.url - set_http_headers(json.http_headers) -@@ -294,13 +296,7 @@ local function add_single_video(json) - - msg.debug("streamurl: " .. streamurl) - -- streamurl = streamurl:gsub("^data:", "data://", 1) -- -- if not url_is_safe(streamurl) then -- return -- end -- -- mp.set_property("stream-open-filename", streamurl) -+ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) - - mp.set_property("file-local-options/force-media-title", json.title) - -@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () - - msg.debug("EDL: " .. playlist) - -+ if not playlist then -+ return -+ end -+ - -- can't change the http headers for each entry, so use the 1st - if json.entries[1] then - set_http_headers(json.entries[1].http_headers) --- -2.16.1 - diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index 988ed5c7fd..6adce7ba10 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -1009,7 +1009,7 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.") (define-public mpv (package (name "mpv") - (version "0.28.0") + (version "0.28.1") (source (origin (method url-fetch) (uri (string-append @@ -1017,10 +1017,7 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.") ".tar.gz")) (sha256 (base32 - "1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f")) - (patches (search-patches "mpv-CVE-2018-6360-1.patch" - "mpv-CVE-2018-6360-2.patch" - "mpv-CVE-2018-6360-3.patch")) + "1i1czric6dhbwvyxamzrnwjwsznrn9cpzp6m0m6aahiwpbfbl282")) (file-name (string-append name "-" version ".tar.gz")))) (build-system waf-build-system) (native-inputs |