Hi, A recent commit adds a protocol whitelist in the youtube-dl hook in order to avoid access to local files. https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 A CVE has been assigned to this issue: https://nvd.nist.gov/vuln/detail/CVE-2018-6360 So, it seems to be a good idea to unmask and then stabilize media-video/mpv-0.28.0. Regards, -- alarig
According to package.mask: # Patrice Clement <monsieurp@gentoo.org> (18 Jan 2018) # mpv-0.28.0 requires changes currently only available in ffmpeg-9999. =media-video/mpv-0.28.0 So either a backport of those features to a revbumped and stabilized ffmpeg or a backport of the fix in mpv would be needed. I would vote for doing the fix in mpv ;)
Y u no CC maintainers?
(In reply to Coacher from comment #2) > Y u no CC maintainers? Sorry for the delay and thank you for taking care of CCing maintainers. Please let us know when you are ready for stabilization. Thanks
(In reply to Franz Fellner from comment #1) > According to package.mask: > > # Patrice Clement <monsieurp@gentoo.org> (18 Jan 2018) > # mpv-0.28.0 requires changes currently only available in ffmpeg-9999. > > =media-video/mpv-0.28.0 > > So either a backport of those features to a revbumped and stabilized ffmpeg > or a backport of the fix in mpv would be needed. I would vote for doing the > fix in mpv ;) The fix was backported, released as 0.27.1: https://github.com/mpv-player/mpv/releases/tag/v0.27.1
Yeah. The ebuild is ready to go. I'm awaiting finishing touches from one of the devs.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e834ef497c80f7b45a8b16d49df4c3649f61506c commit e834ef497c80f7b45a8b16d49df4c3649f61506c Author: Ilya Tumaykin <itumaykin@gmail.com> AuthorDate: 2018-02-13 20:43:05 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-02-14 19:55:01 +0000 media-video/mpv: verbump to 0.27.1 and 0.28.1 with fix for CVE-2018-6360 Bug: https://bugs.gentoo.org/646886 Package-Manager: Portage-2.3.24, Repoman-2.3.6 media-video/mpv/Manifest | 3 + ...mpv-0.27.0-add-missing-link-flags-for-rpi.patch | 25 ++ media-video/mpv/mpv-0.27.1.ebuild | 374 +++++++++++++++++++++ media-video/mpv/mpv-0.28.1.ebuild | 361 ++++++++++++++++++++ 4 files changed, 763 insertions(+)}
Upstream just published 0.27.2 and 0.28.2 with additional fixes for this CVE. It'll take me another day to prepare a new PR.
@ Arches, please test and mark stable: =media-video/mpv-0.27.2
amd64 stable
x86 stable
Stable on alpha.
ppc64 stable
ppc stable
hppa, ping
UnCC'ing hppa. Stable hppa will be dropped.
GLSA request filed. @maintainers please clean.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b70657f204180df624aa657a7795344636a52c5 commit 1b70657f204180df624aa657a7795344636a52c5 Author: Ilya Tumaykin <itumaykin@gmail.com> AuthorDate: 2018-05-13 18:18:40 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-05-13 19:02:23 +0000 media-video/mpv: security cleanup wrt CVE-2018-6360 Bug: https://bugs.gentoo.org/646886 Package-Manager: Portage-2.3.36, Repoman-2.3.9 media-video/mpv/Manifest | 2 - media-video/mpv/metadata.xml | 1 - media-video/mpv/mpv-0.25.0-r2.ebuild | 383 ----------------------------------- 3 files changed, 386 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff8b86298f8554ea365f8d51ff25e5bb044e93e8 commit ff8b86298f8554ea365f8d51ff25e5bb044e93e8 Author: Ilya Tumaykin <itumaykin@gmail.com> AuthorDate: 2018-05-13 18:11:00 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-05-13 19:02:22 +0000 media-video/mpv: drop stable hppa keywords hppa is about 80 days behind on a security bug and exp now. Bug: https://bugs.gentoo.org/646886 Package-Manager: Portage-2.3.36, Repoman-2.3.9 Closes: https://github.com/gentoo/gentoo/pull/8390 media-video/mpv/mpv-0.25.0-r2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Cleanup done. @security please proceed.
This issue was resolved and addressed in GLSA 201805-05 at https://security.gentoo.org/glsa/201805-05 by GLSA coordinator Aaron Bauman (b-man).
