Hi, On 08/02/18 11:36, James Cowgill wrote: > On 07/02/18 23:16, James Cowgill wrote: >> Hi, >> >> On 07/02/18 21:39, Marc Becker wrote: >>> Package: mpv >>> Version: 0.23.0-2+deb9u1 >>> Followup-For: Bug #888654 >>> >>> Patch to line 264 via 08_ytdl-hook-whitelist-protocols.patch is incorrect, >>> check is applied to raw Youtube ID instead of valid url and always fails as >>> a result. >>> >>> Suggestions: no checking of raw IDs (skipped in upstream fix as well) >> >> Yes I think you're right. It's also broken in sid too (but not in >> experimental). I think I got thrown off by newer mpv distinguishing >> between youtube ids and non youtube ids. > > Cloning a new bug to track the regression.
I think the attached patch will fix this (which I have also just uploaded to unstable). Also available here: https://salsa.debian.org/multimedia-team/mpv/compare/debian%2F0.23.0-2+deb9u1...debian%2Fstretch This incorporates this upstream commit which fixes a different issue, but by doing so allows me to copy upstream's fix: https://github.com/mpv-player/mpv/commit/1623430b200c7bf67ec19bcab13ccbe9a494d2c7 Sorry for missing this in my first patch! James
diff --git a/debian/changelog b/debian/changelog index 346e88c..b68ace0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +mpv (0.23.0-2+deb9u2) stretch-security; urgency=high + + * debian/patches/08_ytdl-hook-whitelist-protocols.patch: + - Fix regression in CVE-2018-6360 patch which broke youtube playlists. + (Closes: #889892) + + -- James Cowgill <jcowg...@debian.org> Thu, 08 Feb 2018 12:27:06 +0000 + mpv (0.23.0-2+deb9u1) stretch-security; urgency=high * debian/patches/08_ytdl-hook-whitelist-protocols.patch: diff --git a/debian/patches/08_ytdl-hook-whitelist-protocols.patch b/debian/patches/08_ytdl-hook-whitelist-protocols.patch index 0212bdb..7487f82 100644 --- a/debian/patches/08_ytdl-hook-whitelist-protocols.patch +++ b/debian/patches/08_ytdl-hook-whitelist-protocols.patch @@ -10,6 +10,7 @@ Description: ytdl_hook: whitelist protocols from urls retrieved from youtube-dl Author: Ricardo Constantino <wiia...@gmail.com> Bug: https://github.com/mpv-player/mpv/issues/5456 Bug-Debian: https://bugs.debian.org/888654 +Bug-Debian: https://bugs.debian.org/889892 Applied-Upstream: v0.29 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ @@ -61,18 +62,20 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ playlist = playlist .. edl_escape(entry.url) if not (entry.duration == nil) then playlist = playlist..",start=0,length="..entry.duration -@@ -261,7 +285,9 @@ mp.add_hook("on_load", 10, function () +@@ -261,7 +285,11 @@ mp.add_hook("on_load", 10, function () site = entry["webpage_url"] end - playlist = playlist .. "ytdl://" .. site .. "\n" -+ if url_is_safe(site) then ++ if not site:find("://") then + playlist = playlist .. "ytdl://" .. site .. "\n" ++ elseif url_is_safe(site) then ++ playlist = playlist .. site .. "\n" + end end mp.set_property("stream-open-filename", "memory://" .. playlist) -@@ -279,14 +305,24 @@ mp.add_hook("on_load", 10, function () +@@ -279,14 +307,24 @@ mp.add_hook("on_load", 10, function () -- video url streamurl = json["requested_formats"][1].url
signature.asc
Description: OpenPGP digital signature