648730 – [vapoursynth overlay] media-video/mpv allows remote code execution (CVE-2018-6360)

Bug 648730 - [vapoursynth overlay] media-video/mpv allows remote code execution (CVE-2018-6360)

Summary: [vapoursynth overlay] media-video/mpv allows remote code execution (CVE-2018-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Overlays (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	surukko

URL:	https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:
Keywords:

Depends on:	CVE-2018-6360
Blocks:
	Show dependency tree

Reported:	2018-02-24 19:46 UTC by EoD
Modified:	2018-02-28 14:41 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description EoD 2018-02-24 19:46:16 UTC

The Gentoo tree has an updated version of video/mpv-0.27.2 which fixes CVE-2018-6360:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d329da2cb0aba9e7b9289a3c0604668542571478


As vapoursynth is disabled hardcoded in the above ebuild, the latest (non-live) of mpv with vapoursynth is media-video/mpv-0.27.0.20171027 which is very old and still contains the CVE:

See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360