diff options
author | Alex Vong <alexvong1995@gmail.com> | 2018-02-07 14:39:40 +0800 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2018-02-08 15:18:21 -0500 |
commit | e61da2e8848782052d6d5d69f111520a7f772e52 (patch) | |
tree | e2eb652138daa430a66aa023091904d3a25dc0f8 | |
parent | 30335a2963919976413336e8cfda0cb5dee5c21f (diff) | |
download | guix-e61da2e8848782052d6d5d69f111520a7f772e52.tar.gz |
gnu: mpv: Fix CVE-2018-6360.
* gnu/packages/patches/mpv-CVE-2018-6360-1.patch, gnu/packages/patches/mpv-CVE-2018-6360-2.patch, gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/video.scm (mpv)[source]: Use them. Signed-off-by: Leo Famulari <leo@famulari.name>
-rw-r--r-- | gnu/local.mk | 5 | ||||
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 138 | ||||
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 59 | ||||
-rw-r--r-- | gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 84 | ||||
-rw-r--r-- | gnu/packages/video.scm | 5 |
5 files changed, 289 insertions, 2 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 823469eea2..2ef483df0e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -9,7 +9,7 @@ # Copyright © 2016 Adonay "adfeno" Felipe Nogueira <https://libreplanet.org/wiki/User:Adfeno> <adfeno@openmailbox.org> # Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net> # Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com> -# Copyright © 2016, 2017 Alex Vong <alexvong1995@gmail.com> +# Copyright © 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com> # Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> # Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org> # Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> @@ -909,6 +909,9 @@ dist_patch_DATA = \ %D%/packages/patches/mhash-keygen-test-segfault.patch \ %D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \ %D%/packages/patches/mpc123-initialize-ao.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-1.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-2.patch \ + %D%/packages/patches/mpv-CVE-2018-6360-3.patch \ %D%/packages/patches/module-init-tools-moduledir.patch \ %D%/packages/patches/mongodb-support-unknown-linux-distributions.patch \ %D%/packages/patches/mozjs17-aarch64-support.patch \ diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch new file mode 100644 index 0000000000..55fc7daaf3 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch @@ -0,0 +1,138 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 + +To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4 +checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available +for the 0.28.0 release. So it should be safe to remove hunk #4. + +From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino <wiiaboo@gmail.com> +Date: Fri, 26 Jan 2018 01:19:04 +0000 +Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from + youtube-dl + +Not very clean since there's a lot of potential unsafe urls that youtube-dl +can give us, depending on whether it's a single url, split tracks, +playlists, segmented dash, etc. +--- + player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 47 insertions(+), 7 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index dd96ecc01d..b480c21625 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -16,6 +16,18 @@ local ytdl = { + + local chapter_list = {} + ++function Set (t) ++ local set = {} ++ for _, v in pairs(t) do set[v] = true end ++ return set ++end ++ ++local safe_protos = Set { ++ "http", "https", "ftp", "ftps", ++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte", ++ "data" ++} ++ + local function exec(args) + local ret = utils.subprocess({args = args}) + return ret.status, ret.stdout, ret +@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base) + + for i = offset, #fragments do + local fragment = fragments[i] ++ if not url_is_safe(join_url(base, fragment)) then ++ return nil ++ end + table.insert(parts, edl_escape(join_url(base, fragment))) + if fragment.duration then + parts[#parts] = +@@ -208,6 +223,15 @@ local function proto_is_dash(json) + or json["protocol"] == "http_dash_segments" + end + ++local function url_is_safe(url) ++ local proto = type(url) == "string" and url:match("^(.+)://") or nil ++ local safe = proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function add_single_video(json) + local streamurl = "" + local max_bitrate = 0 +@@ -238,14 +264,18 @@ local function add_single_video(json) + edl_track = edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) ++ local url = edl_track or track.url ++ if not url_is_safe(url) then ++ return ++ end + if track.acodec and track.acodec ~= "none" then + -- audio track + mp.commandv("audio-add", +- edl_track or track.url, "auto", ++ url, "auto", + track.format_note or "") + elseif track.vcodec and track.vcodec ~= "none" then + -- video track +- streamurl = edl_track or track.url ++ streamurl = url + end + end + +@@ -264,7 +294,13 @@ local function add_single_video(json) + + msg.debug("streamurl: " .. streamurl) + +- mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) ++ streamurl = streamurl:gsub("^data:", "data://", 1) ++ ++ if not url_is_safe(streamurl) then ++ return ++ end ++ ++ mp.set_property("stream-open-filename", streamurl) + + mp.set_property("file-local-options/force-media-title", json.title) + +@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () + site = entry["webpage_url"] + end + +- if not (site:find("https?://") == 1) then +- site = "ytdl://" .. site ++ -- links with only youtube id as returned by --flat-playlist ++ if not site:find("://") then ++ table.insert(playlist, "ytdl://" .. site) ++ elseif url_is_safe(site) then ++ table.insert(playlist, site) + end +- table.insert(playlist, site) + + end + +- mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n")) ++ if #playlist > 0 then ++ mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n")) ++ end + end + + else -- probably a video +-- +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch new file mode 100644 index 0000000000..b37e33a641 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch @@ -0,0 +1,59 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f + +From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino <wiiaboo@gmail.com> +Date: Fri, 26 Jan 2018 11:26:27 +0000 +Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code + +lua isn't javascript. +--- + player/lua/ytdl_hook.lua | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index b480c21625..458c94af38 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -84,6 +84,15 @@ local function edl_escape(url) + return "%" .. string.len(url) .. "%" .. url + end + ++local function url_is_safe(url) ++ local proto = type(url) == "string" and url:match("^(.+)://") or nil ++ local safe = proto and safe_protos[proto] ++ if not safe then ++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) ++ end ++ return safe ++end ++ + local function time_to_secs(time_string) + local ret + +@@ -223,15 +232,6 @@ local function proto_is_dash(json) + or json["protocol"] == "http_dash_segments" + end + +-local function url_is_safe(url) +- local proto = type(url) == "string" and url:match("^(.+)://") or nil +- local safe = proto and safe_protos[proto] +- if not safe then +- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url)) +- end +- return safe +-end +- + local function add_single_video(json) + local streamurl = "" + local max_bitrate = 0 +-- +2.16.1 + diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch new file mode 100644 index 0000000000..dc3e272d37 --- /dev/null +++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch @@ -0,0 +1,84 @@ +Fix CVE-2018-6360: + +https://github.com/mpv-player/mpv/issues/5456 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 +https://security-tracker.debian.org/tracker/CVE-2018-6360 + +Patch copied from upstream source repository: + +https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828 + +From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001 +From: Ricardo Constantino <wiiaboo@gmail.com> +Date: Fri, 26 Jan 2018 18:54:17 +0000 +Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls + +--- + player/lua/ytdl_hook.lua | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua +index 458c94af38..6c8e78657d 100644 +--- a/player/lua/ytdl_hook.lua ++++ b/player/lua/ytdl_hook.lua +@@ -264,18 +264,17 @@ local function add_single_video(json) + edl_track = edl_track_joined(track.fragments, + track.protocol, json.is_live, + track.fragment_base_url) +- local url = edl_track or track.url +- if not url_is_safe(url) then ++ if not edl_track and not url_is_safe(track.url) then + return + end + if track.acodec and track.acodec ~= "none" then + -- audio track + mp.commandv("audio-add", +- url, "auto", ++ edl_track or track.url, "auto", + track.format_note or "") + elseif track.vcodec and track.vcodec ~= "none" then + -- video track +- streamurl = url ++ streamurl = edl_track or track.url + end + end + +@@ -284,6 +283,9 @@ local function add_single_video(json) + edl_track = edl_track_joined(json.fragments, json.protocol, + json.is_live, json.fragment_base_url) + ++ if not edl_track and not url_is_safe(json.url) then ++ return ++ end + -- normal video or single track + streamurl = edl_track or json.url + set_http_headers(json.http_headers) +@@ -294,13 +296,7 @@ local function add_single_video(json) + + msg.debug("streamurl: " .. streamurl) + +- streamurl = streamurl:gsub("^data:", "data://", 1) +- +- if not url_is_safe(streamurl) then +- return +- end +- +- mp.set_property("stream-open-filename", streamurl) ++ mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1)) + + mp.set_property("file-local-options/force-media-title", json.title) + +@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function () + + msg.debug("EDL: " .. playlist) + ++ if not playlist then ++ return ++ end ++ + -- can't change the http headers for each entry, so use the 1st + if json.entries[1] then + set_http_headers(json.entries[1].http_headers) +-- +2.16.1 + diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index 8cbe590bf2..5865713b85 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -6,7 +6,7 @@ ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2015 Andy Patterson <ajpatter@uwaterloo.ca> ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net> -;;; Copyright © 2015, 2016, 2017 Alex Vong <alexvong1995@gmail.com> +;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com> ;;; Copyright © 2016, 2017 Alex Griffin <a@ajgrf.com> ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net> ;;; Copyright © 2016 Dmitry Nikolaev <cameltheman@gmail.com> @@ -1018,6 +1018,9 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.") (sha256 (base32 "1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f")) + (patches (search-patches "mpv-CVE-2018-6360-1.patch" + "mpv-CVE-2018-6360-2.patch" + "mpv-CVE-2018-6360-3.patch")) (file-name (string-append name "-" version ".tar.gz")))) (build-system waf-build-system) (native-inputs |