Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646886 (CVE-2018-6360) - <media-video/mpv-{0.27.2,0.28.1}: allows remote code execution (CVE-2018-6360)
Summary: <media-video/mpv-{0.27.2,0.28.1}: allows remote code execution (CVE-2018-6360)
Status: RESOLVED FIXED
Alias: CVE-2018-6360
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/mpv-player/mpv/iss...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: 648730
  Show dependency tree
 
Reported: 2018-02-07 10:35 UTC by Alarig Le Lay
Modified: 2018-05-14 23:23 UTC (History)
5 users (show)

See Also:
Package list:
media-video/mpv-0.27.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alarig Le Lay 2018-02-07 10:35:37 UTC
Hi,

A recent commit adds a protocol whitelist in the youtube-dl hook in order to avoid access to local files.
https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43

A CVE has been assigned to this issue: https://nvd.nist.gov/vuln/detail/CVE-2018-6360

So, it seems to be a good idea to unmask and then stabilize media-video/mpv-0.28.0.

Regards,
-- 
alarig
Comment 1 Franz Trischberger 2018-02-07 11:07:47 UTC
According to package.mask:

# Patrice Clement <monsieurp@gentoo.org> (18 Jan 2018)
# mpv-0.28.0 requires changes currently only available in ffmpeg-9999.                                                                                                                                                        
=media-video/mpv-0.28.0

So either a backport of those features to a revbumped and stabilized ffmpeg or a backport of the fix in mpv would be needed. I would vote for doing the fix in mpv ;)
Comment 2 Coacher 2018-02-08 19:36:20 UTC
Y u no CC maintainers?
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-02-08 22:52:21 UTC
(In reply to Coacher from comment #2)
> Y u no CC maintainers?

Sorry for the delay and thank you for taking care of CCing maintainers.

Please let us know when you are ready for stabilization.

Thanks
Comment 4 Diogo Pereira 2018-02-13 00:11:45 UTC
(In reply to Franz Fellner from comment #1)
> According to package.mask:
> 
> # Patrice Clement <monsieurp@gentoo.org> (18 Jan 2018)
> # mpv-0.28.0 requires changes currently only available in ffmpeg-9999.      
> 
> =media-video/mpv-0.28.0
> 
> So either a backport of those features to a revbumped and stabilized ffmpeg
> or a backport of the fix in mpv would be needed. I would vote for doing the
> fix in mpv ;)

The fix was backported, released as 0.27.1:
https://github.com/mpv-player/mpv/releases/tag/v0.27.1
Comment 5 Coacher 2018-02-13 03:38:12 UTC
Yeah. The ebuild is ready to go. I'm awaiting finishing touches from one of the devs.
Comment 6 Larry the Git Cow gentoo-dev 2018-02-14 19:55:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e834ef497c80f7b45a8b16d49df4c3649f61506c

commit e834ef497c80f7b45a8b16d49df4c3649f61506c
Author:     Ilya Tumaykin <itumaykin@gmail.com>
AuthorDate: 2018-02-13 20:43:05 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-02-14 19:55:01 +0000

    media-video/mpv: verbump to 0.27.1 and 0.28.1 with fix for CVE-2018-6360
    
    Bug: https://bugs.gentoo.org/646886
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 media-video/mpv/Manifest                           |   3 +
 ...mpv-0.27.0-add-missing-link-flags-for-rpi.patch |  25 ++
 media-video/mpv/mpv-0.27.1.ebuild                  | 374 +++++++++++++++++++++
 media-video/mpv/mpv-0.28.1.ebuild                  | 361 ++++++++++++++++++++
 4 files changed, 763 insertions(+)}
Comment 7 Coacher 2018-02-15 20:06:56 UTC
Upstream just published 0.27.2 and 0.28.2 with additional fixes for this CVE.
It'll take me another day to prepare a new PR.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-23 22:05:09 UTC
@ Arches,

please test and mark stable: =media-video/mpv-0.27.2
Comment 9 Jason Zaman gentoo-dev 2018-02-24 07:22:05 UTC
amd64 stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-25 18:23:03 UTC
x86 stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-05 10:37:29 UTC
Stable on alpha.
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-31 10:33:09 UTC
ppc64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2018-04-03 21:48:04 UTC
ppc stable
Comment 14 Coacher 2018-04-28 16:02:23 UTC
hppa, ping
Comment 15 Coacher 2018-05-13 18:26:49 UTC
UnCC'ing hppa. Stable hppa will be dropped.
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2018-05-13 18:48:05 UTC
GLSA request filed.

@maintainers please clean.
Comment 17 Larry the Git Cow gentoo-dev 2018-05-13 19:02:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b70657f204180df624aa657a7795344636a52c5

commit 1b70657f204180df624aa657a7795344636a52c5
Author:     Ilya Tumaykin <itumaykin@gmail.com>
AuthorDate: 2018-05-13 18:18:40 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-13 19:02:23 +0000

    media-video/mpv: security cleanup wrt CVE-2018-6360
    
    Bug: https://bugs.gentoo.org/646886
    Package-Manager: Portage-2.3.36, Repoman-2.3.9

 media-video/mpv/Manifest             |   2 -
 media-video/mpv/metadata.xml         |   1 -
 media-video/mpv/mpv-0.25.0-r2.ebuild | 383 -----------------------------------
 3 files changed, 386 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff8b86298f8554ea365f8d51ff25e5bb044e93e8

commit ff8b86298f8554ea365f8d51ff25e5bb044e93e8
Author:     Ilya Tumaykin <itumaykin@gmail.com>
AuthorDate: 2018-05-13 18:11:00 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-13 19:02:22 +0000

    media-video/mpv: drop stable hppa keywords
    
    hppa is about 80 days behind on a security bug and exp now.
    
    Bug: https://bugs.gentoo.org/646886
    Package-Manager: Portage-2.3.36, Repoman-2.3.9
    Closes: https://github.com/gentoo/gentoo/pull/8390

 media-video/mpv/mpv-0.25.0-r2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 18 Coacher 2018-05-13 19:10:39 UTC
Cleanup done. @security please proceed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2018-05-14 23:23:35 UTC
This issue was resolved and addressed in
 GLSA 201805-05 at https://security.gentoo.org/glsa/201805-05
by GLSA coordinator Aaron Bauman (b-man).