summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
authorRutger Helling <rhelling@mykolab.com>2018-02-13 10:09:56 +0100
committerRutger Helling <rhelling@mykolab.com>2018-02-13 10:13:40 +0100
commit171c7642b840ce4b4bfb0b97f874014c66ec5ea7 (patch)
tree1c6ec10dab8573fe010c4b496c3cbef3968580c9 /gnu
parent4747cca2b4eafd84aa4a2dfb5151f18a1b626ff0 (diff)
downloadguix-171c7642b840ce4b4bfb0b97f874014c66ec5ea7.tar.gz
gnu: mpv: Update to 0.28.1 [fixes CVE-2018-6360].
* gnu/packages/video.scm (mpv): Update to 0.28.1.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/packages/patches/mpv-CVE-2018-6360-1.patch138
-rw-r--r--gnu/packages/patches/mpv-CVE-2018-6360-2.patch59
-rw-r--r--gnu/packages/patches/mpv-CVE-2018-6360-3.patch84
-rw-r--r--gnu/packages/video.scm7
4 files changed, 2 insertions, 286 deletions
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
deleted file mode 100644
index 55fc7daaf3..0000000000
--- a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-Fix CVE-2018-6360:
-
-https://github.com/mpv-player/mpv/issues/5456
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
-https://security-tracker.debian.org/tracker/CVE-2018-6360
-
-Patch copied from upstream source repository:
-
-https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
-
-To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4
-checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available
-for the 0.28.0 release. So it should be safe to remove hunk #4.
-
-From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001
-From: Ricardo Constantino <wiiaboo@gmail.com>
-Date: Fri, 26 Jan 2018 01:19:04 +0000
-Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from
- youtube-dl
-
-Not very clean since there's a lot of potential unsafe urls that youtube-dl
-can give us, depending on whether it's a single url, split tracks,
-playlists, segmented dash, etc.
----
- player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 47 insertions(+), 7 deletions(-)
-
-diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
-index dd96ecc01d..b480c21625 100644
---- a/player/lua/ytdl_hook.lua
-+++ b/player/lua/ytdl_hook.lua
-@@ -16,6 +16,18 @@ local ytdl = {
- 
- local chapter_list = {}
- 
-+function Set (t)
-+    local set = {}
-+    for _, v in pairs(t) do set[v] = true end
-+    return set
-+end
-+
-+local safe_protos = Set {
-+    "http", "https", "ftp", "ftps",
-+    "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
-+    "data"
-+}
-+
- local function exec(args)
-     local ret = utils.subprocess({args = args})
-     return ret.status, ret.stdout, ret
-@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol, is_live, base)
- 
-     for i = offset, #fragments do
-         local fragment = fragments[i]
-+        if not url_is_safe(join_url(base, fragment)) then
-+            return nil
-+        end
-         table.insert(parts, edl_escape(join_url(base, fragment)))
-         if fragment.duration then
-             parts[#parts] =
-@@ -208,6 +223,15 @@ local function proto_is_dash(json)
-            or json["protocol"] == "http_dash_segments"
- end
- 
-+local function url_is_safe(url)
-+    local proto = type(url) == "string" and url:match("^(.+)://") or nil
-+    local safe = proto and safe_protos[proto]
-+    if not safe then
-+        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
-+    end
-+    return safe
-+end
-+
- local function add_single_video(json)
-     local streamurl = ""
-     local max_bitrate = 0
-@@ -238,14 +264,18 @@ local function add_single_video(json)
-             edl_track = edl_track_joined(track.fragments,
-                 track.protocol, json.is_live,
-                 track.fragment_base_url)
-+            local url = edl_track or track.url
-+            if not url_is_safe(url) then
-+                return
-+            end
-             if track.acodec and track.acodec ~= "none" then
-                 -- audio track
-                 mp.commandv("audio-add",
--                    edl_track or track.url, "auto",
-+                    url, "auto",
-                     track.format_note or "")
-             elseif track.vcodec and track.vcodec ~= "none" then
-                 -- video track
--                streamurl = edl_track or track.url
-+                streamurl = url
-             end
-         end
- 
-@@ -264,7 +294,13 @@ local function add_single_video(json)
- 
-     msg.debug("streamurl: " .. streamurl)
- 
--    mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
-+    streamurl = streamurl:gsub("^data:", "data://", 1)
-+
-+    if not url_is_safe(streamurl) then
-+        return
-+    end
-+
-+    mp.set_property("stream-open-filename", streamurl)
- 
-     mp.set_property("file-local-options/force-media-title", json.title)
- 
-@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
-                         site = entry["webpage_url"]
-                     end
- 
--                    if not (site:find("https?://") == 1) then
--                        site = "ytdl://" .. site
-+                    -- links with only youtube id as returned by --flat-playlist
-+                    if not site:find("://") then
-+                        table.insert(playlist, "ytdl://" .. site)
-+                    elseif url_is_safe(site) then
-+                        table.insert(playlist, site)
-                     end
--                    table.insert(playlist, site)
- 
-                 end
- 
--                mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
-+                if #playlist > 0 then
-+                    mp.set_property("stream-open-filename", "memory://" .. table.concat(playlist, "\n"))
-+                end
-             end
- 
-         else -- probably a video
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
deleted file mode 100644
index b37e33a641..0000000000
--- a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-Fix CVE-2018-6360:
-
-https://github.com/mpv-player/mpv/issues/5456
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
-https://security-tracker.debian.org/tracker/CVE-2018-6360
-
-Patch copied from upstream source repository:
-
-https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
-
-From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
-From: Ricardo Constantino <wiiaboo@gmail.com>
-Date: Fri, 26 Jan 2018 11:26:27 +0000
-Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
-
-lua isn't javascript.
----
- player/lua/ytdl_hook.lua | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
-index b480c21625..458c94af38 100644
---- a/player/lua/ytdl_hook.lua
-+++ b/player/lua/ytdl_hook.lua
-@@ -84,6 +84,15 @@ local function edl_escape(url)
-     return "%" .. string.len(url) .. "%" .. url
- end
- 
-+local function url_is_safe(url)
-+    local proto = type(url) == "string" and url:match("^(.+)://") or nil
-+    local safe = proto and safe_protos[proto]
-+    if not safe then
-+        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
-+    end
-+    return safe
-+end
-+
- local function time_to_secs(time_string)
-     local ret
- 
-@@ -223,15 +232,6 @@ local function proto_is_dash(json)
-            or json["protocol"] == "http_dash_segments"
- end
- 
--local function url_is_safe(url)
--    local proto = type(url) == "string" and url:match("^(.+)://") or nil
--    local safe = proto and safe_protos[proto]
--    if not safe then
--        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
--    end
--    return safe
--end
--
- local function add_single_video(json)
-     local streamurl = ""
-     local max_bitrate = 0
--- 
-2.16.1
-
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
deleted file mode 100644
index dc3e272d37..0000000000
--- a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-Fix CVE-2018-6360:
-
-https://github.com/mpv-player/mpv/issues/5456
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
-https://security-tracker.debian.org/tracker/CVE-2018-6360
-
-Patch copied from upstream source repository:
-
-https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828
-
-From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001
-From: Ricardo Constantino <wiiaboo@gmail.com>
-Date: Fri, 26 Jan 2018 18:54:17 +0000
-Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls
-
----
- player/lua/ytdl_hook.lua | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
-index 458c94af38..6c8e78657d 100644
---- a/player/lua/ytdl_hook.lua
-+++ b/player/lua/ytdl_hook.lua
-@@ -264,18 +264,17 @@ local function add_single_video(json)
-             edl_track = edl_track_joined(track.fragments,
-                 track.protocol, json.is_live,
-                 track.fragment_base_url)
--            local url = edl_track or track.url
--            if not url_is_safe(url) then
-+            if not edl_track and not url_is_safe(track.url) then
-                 return
-             end
-             if track.acodec and track.acodec ~= "none" then
-                 -- audio track
-                 mp.commandv("audio-add",
--                    url, "auto",
-+                    edl_track or track.url, "auto",
-                     track.format_note or "")
-             elseif track.vcodec and track.vcodec ~= "none" then
-                 -- video track
--                streamurl = url
-+                streamurl = edl_track or track.url
-             end
-         end
- 
-@@ -284,6 +283,9 @@ local function add_single_video(json)
-         edl_track = edl_track_joined(json.fragments, json.protocol,
-             json.is_live, json.fragment_base_url)
- 
-+        if not edl_track and not url_is_safe(json.url) then
-+            return
-+        end
-         -- normal video or single track
-         streamurl = edl_track or json.url
-         set_http_headers(json.http_headers)
-@@ -294,13 +296,7 @@ local function add_single_video(json)
- 
-     msg.debug("streamurl: " .. streamurl)
- 
--    streamurl = streamurl:gsub("^data:", "data://", 1)
--
--    if not url_is_safe(streamurl) then
--        return
--    end
--
--    mp.set_property("stream-open-filename", streamurl)
-+    mp.set_property("stream-open-filename", streamurl:gsub("^data:", "data://", 1))
- 
-     mp.set_property("file-local-options/force-media-title", json.title)
- 
-@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or "on_load_fail", 10, function ()
- 
-                 msg.debug("EDL: " .. playlist)
- 
-+                if not playlist then
-+                    return
-+                end
-+
-                 -- can't change the http headers for each entry, so use the 1st
-                 if json.entries[1] then
-                     set_http_headers(json.entries[1].http_headers)
--- 
-2.16.1
-
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 988ed5c7fd..6adce7ba10 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1009,7 +1009,7 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.")
 (define-public mpv
   (package
     (name "mpv")
-    (version "0.28.0")
+    (version "0.28.1")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -1017,10 +1017,7 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.")
                     ".tar.gz"))
               (sha256
                (base32
-                "1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f"))
-              (patches (search-patches "mpv-CVE-2018-6360-1.patch"
-                                       "mpv-CVE-2018-6360-2.patch"
-                                       "mpv-CVE-2018-6360-3.patch"))
+                "1i1czric6dhbwvyxamzrnwjwsznrn9cpzp6m0m6aahiwpbfbl282"))
               (file-name (string-append name "-" version ".tar.gz"))))
     (build-system waf-build-system)
     (native-inputs