mpv: fix CVE-2018-6360; FS#1578

author: Svyatoslav Mishyn <svyatoslav.mishyn@gmail.com> 2018-02-05 20:49:44 +0200
committer: Svyatoslav Mishyn <svyatoslav.mishyn@gmail.com> 2018-02-05 20:49:44 +0200
commit: f5e44ed35b743cc43ce60d6d1867ea2a135045c7 (patch)
tree: 5e45a4262bb2b3026661c86397105c29984d4fd3 /mpv
parent: 6eee435baea70b78db458baec105f65c4663fdc1 (diff)
download: contrib-f5e44ed35b743cc43ce60d6d1867ea2a135045c7.tar.gz
contrib-f5e44ed35b743cc43ce60d6d1867ea2a135045c7.tar.xz
4 files changed, 117 insertions, 6 deletions
diff --git a/mpv/.md5sum b/mpv/.md5sum
index 76a4878b9..2fbcec1e8 100644
--- a/mpv/.md5sum
+++ b/mpv/.md5sum
@@ -1 +1,2 @@
+ab865014635762ab84a8e682ab9dedbe  09_ytdl-hook-whitelist-protocols.patch
 ec86f42b091d891f9a932de0f6e873ad  mpv-v0.27.0.tar.gz
diff --git a/mpv/.signature b/mpv/.signature
index 8137be6f9..fbe409c85 100644
--- a/mpv/.signature
+++ b/mpv/.signature
@@ -1,5 +1,6 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF3z0Yob3LTyWbmkJXYzlufFALwQrF3S+OF8Voxo16/iGR6N3Z+75xYjnStxQ2Jr59Wj2Sj+Kn0EuYX3zGbn2pggU=
-SHA256 (Pkgfile) = e270a3008184d66649336996fb97c7a900fdd5a1fc2640dbe7d533c6964a944c
+RWSagIOpLGJF36Uy5lbcdGvZfiuBwsj8MYrh2Mjtcje2kAs7JcFZ3EpwvNFsMCv/qm9kEqH5ZbRcG7VZxAjrSFuq83MujFzkEQE=
+SHA256 (Pkgfile) = c57d18136ac46d5d7e6930a6e63c1802e9eb7cc082e8704700e53d9a9aa9961b
 SHA256 (.footprint) = 3872a22695e9c213f10e0bd6c0ae8fb7c2bba5425dd68eb1ec02c9e0ba171d09
 SHA256 (mpv-v0.27.0.tar.gz) = 341d8bf18b75c1f78d5b681480b5b7f5c8b87d97a0d4f53a5648ede9c219a49c
+SHA256 (09_ytdl-hook-whitelist-protocols.patch) = 6f6bc517c3b1d72a070af64df14428aee76e6cd123b934721851649833061918
diff --git a/mpv/09_ytdl-hook-whitelist-protocols.patch b/mpv/09_ytdl-hook-whitelist-protocols.patch
new file mode 100644
index 000000000..c5c4f54f4
--- /dev/null
+++ b/mpv/09_ytdl-hook-whitelist-protocols.patch
@@ -0,0 +1,105 @@
+Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl
+ This patch is a combination of these upstream commits:
+ - e6e6b0dcc7e9 ("ytdl_hook: whitelist protocols from urls retrieved from
+   youtube-dl")
+ - f8263e82cc74 ("ytdl_hook: move url_is_safe earlier in code")
+ - ce42a965330d ("ytdl_hook: fix safe url checking with EDL urls")
+ .
+ jcowgill: backported to 0.27
+ Fixes CVE-2018-6360
+Author: Ricardo Constantino <wiiaboo@gmail.com>
+Bug: https://github.com/mpv-player/mpv/issues/5456
+Bug-Debian: https://bugs.debian.org/888654
+Applied-Upstream: v0.29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -15,6 +15,18 @@ local ytdl = {
+ 
+ local chapter_list = {}
+ 
++function Set (t)
++    local set = {}
++    for _, v in pairs(t) do set[v] = true end
++    return set
++end
++
++local safe_protos = Set {
++    "http", "https", "ftp", "ftps",
++    "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
++    "data"
++}
++
+ local function exec(args)
+     local ret = utils.subprocess({args = args})
+     return ret.status, ret.stdout, ret
+@@ -71,6 +83,15 @@ local function edl_escape(url)
+     return "%" .. string.len(url) .. "%" .. url
+ end
+ 
++local function url_is_safe(url)
++    local proto = type(url) == "string" and url:match("^(.+)://") or nil
++    local safe = proto and safe_protos[proto]
++    if not safe then
++        msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++    end
++    return safe
++end
++
+ local function time_to_secs(time_string)
+     local ret
+ 
+@@ -182,6 +203,9 @@ local function edl_track_joined(fragment
+ 
+     for i = offset, #fragments do
+         local fragment = fragments[i]
++        if not url_is_safe(join_url(base, fragment)) then
++            return nil
++        end
+         table.insert(parts, edl_escape(join_url(base, fragment)))
+         if fragment.duration then
+             parts[#parts] =
+@@ -201,6 +225,9 @@ local function add_single_video(json)
+             edl_track = edl_track_joined(track.fragments,
+                 track.protocol, json.is_live,
+                 track.fragment_base_url)
++            if not edl_track and not url_is_safe(track.url) then
++                return
++            end
+             if track.acodec and track.acodec ~= "none" then
+                 -- audio track
+                 mp.commandv("audio-add",
+@@ -217,6 +244,9 @@ local function add_single_video(json)
+         edl_track = edl_track_joined(json.fragments, json.protocol,
+             json.is_live, json.fragment_base_url)
+ 
++        if not edl_track and not url_is_safe(json.url) then
++            return
++        end
+         -- normal video or single track
+         streamurl = edl_track or json.url
+         set_http_headers(json.http_headers)
+@@ -408,6 +438,10 @@ mp.add_hook("on_load", 10, function ()
+ 
+                 msg.debug("EDL: " .. playlist)
+ 
++                if not playlist then
++                    return
++                end
++
+                 -- can't change the http headers for each entry, so use the 1st
+                 if json.entries[1] then
+                     set_http_headers(json.entries[1].http_headers)
+@@ -475,7 +509,9 @@ mp.add_hook("on_load", 10, function ()
+                         site = entry["webpage_url"]
+                     end
+ 
+-                    playlist = playlist .. "ytdl://" .. site .. "\n"
++                    if url_is_safe(site) then
++                        playlist = playlist .. "ytdl://" .. site .. "\n"
++                    end
+                 end
+ 
+                 mp.set_property("stream-open-filename", "memory://" .. playlist)
diff --git a/mpv/Pkgfile b/mpv/Pkgfile
index 280694afd..60fef49d2 100644
--- a/mpv/Pkgfile
+++ b/mpv/Pkgfile
@@ -1,13 +1,14 @@
 # Description: General Purpose video player based on MPlayer and mplayer2
-# URL:         http://mpv.io/
+# URL:         https://mpv.io/
 # Maintainer:  Svyatoslav Mishyn, svyatoslav dot mishyn at gmail dot com
 # Depends on:  alsa-lib docutils ffmpeg libass mesa3d
-# Optional:    libquvi libdvdnav libbluray libcdio-paranoia libvdpau
+# Optional:    youtube-dl libquvi libdvdnav libbluray libcdio-paranoia libvdpau
 
 name=mpv
 version=0.27.0
-release=1
-source=(https://github.com/$name-player/$name/archive/v$version/$name-v$version.tar.gz)
+release=2
+source=(https://github.com/$name-player/$name/archive/v$version/$name-v$version.tar.gz \
+    09_ytdl-hook-whitelist-protocols.patch)
 
 build() {
 	cd $name-$version
@@ -19,6 +20,9 @@ build() {
 	prt-get depinst libcdio-paranoia libdvdnav libbluray, respectively.\033[0m\n"
 	sleep 10
 
+	# CVE-2018-6360 fix
+	patch -p1 -i $SRC/09_ytdl-hook-whitelist-protocols.patch
+
 	./bootstrap.py
 	./waf configure ${PKGMK_MPV} \
 		--prefix=/usr \
author	Svyatoslav Mishyn <svyatoslav.mishyn@gmail.com>	2018-02-05 20:49:44 +0200
committer	Svyatoslav Mishyn <svyatoslav.mishyn@gmail.com>	2018-02-05 20:49:44 +0200
commit	f5e44ed35b743cc43ce60d6d1867ea2a135045c7 (patch)
tree	5e45a4262bb2b3026661c86397105c29984d4fd3 /mpv
parent	6eee435baea70b78db458baec105f65c4663fdc1 (diff)
download	contrib-f5e44ed35b743cc43ce60d6d1867ea2a135045c7.tar.gz contrib-f5e44ed35b743cc43ce60d6d1867ea2a135045c7.tar.xz