Package: mpv
Followup-For: Bug #982249

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey!

Here is a patch to update to 0.33.1. If you prefer to pull directly
from Salsa, the branches are available on my fork:

 https://salsa.debian.org/bernat/mpv


- -- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(101, 'experimental-debug'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.13.0-trunk-amd64 (SMP w/12 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mpv depends on:
ii  libarchive13                      3.4.3-2+b1
ii  libasound2                        1.2.5.1-1
ii  libass9                           1:0.15.1-2
ii  libavcodec58                      7:4.4-5
ii  libavdevice58                     7:4.4-5
ii  libavfilter7                      7:4.4-5
ii  libavformat58                     7:4.4-5
ii  libavutil56                       7:4.4-5
ii  libbluray2                        1:1.3.0-3
ii  libc6                             2.31-17
ii  libcaca0                          0.99.beta19-2.2
ii  libcdio-cdda2                     10.2+2.0.0-1+b2
ii  libcdio-paranoia2                 10.2+2.0.0-1+b2
ii  libcdio19                         2.1.0-2
ii  libdrm2                           2.4.107-2
ii  libdvdnav4                        6.1.1-1
ii  libegl1                           1.3.2-1
ii  libgbm1                           21.2.1-1
ii  libjack-jackd2-0 [libjack-0.125]  1.9.17~dfsg-1
ii  libjpeg62-turbo                   1:2.0.6-4
ii  liblcms2-2                        2.12~rc1-2
ii  liblua5.2-0                       5.2.4-1.1+b3
ii  libpulse0                         15.0+dfsg1-2
ii  librubberband2                    1.9.0-1
ii  libsdl2-2.0-0                     2.0.14+dfsg2-3
ii  libswresample3                    7:4.4-5
ii  libswscale5                       7:4.4-5
ii  libuchardet0                      0.0.7-1
ii  libva-drm2                        2.12.0-2
ii  libva-wayland2                    2.12.0-2
ii  libva-x11-2                       2.12.0-2
ii  libva2                            2.12.0-2
ii  libvdpau1                         1.4-3
ii  libwayland-client0                1.19.0-2
ii  libwayland-cursor0                1.19.0-2
ii  libwayland-egl1                   1.19.0-2
ii  libx11-6                          2:1.7.2-1
ii  libxext6                          2:1.3.3-1.1
ii  libxinerama1                      2:1.1.4-2
ii  libxkbcommon0                     1.0.3-2
ii  libxrandr2                        2:1.5.1-1
ii  libxss1                           1:1.2.3-1
ii  libxv1                            2:1.0.11-1
ii  zlib1g                            1:1.2.11.dfsg-2

Versions of packages mpv recommends:
ii  xdg-utils   1.1.3-4.1
ii  youtube-dl  2021.06.06-1

mpv suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmEl9TUSHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5KEMQAJtafIg14KBpg95jlrsgsIQxym5SHT9+
6n8hqgFFuzwZLRjfEli4I8Xhjjn64KQ0pby2kGsXYsZcO1BEwfjiwb+TQzxTKmA2
4lUWiyVwBUhaog61/GAVEkrnuOjk1y13+jFTF4zl4TeU0ZgtGZ6jlBNOqVPFCdSf
JI9PtwBAkkmBKU5uHihfKvLeAhtKKzOMY/6jPIXP5+LNWUV3s65Bzit98shynE2w
zIxEQNvNHG3DSwhzwwb/VKgvNXCWHO21CFaPPK7bEbLbGj5TevL9Cw1hCRPP5gIF
kWPGuUAXEZfbT1sJbGt47kx1aB5acPYPOOhPtJvVGgFEwk0YD+p7gjsdEqVgvRw+
YwBqOnIMFIIDJ/bQ/cKvHOLFOLa+QK/YAyaIw7FA3bG7KN8XcEJGUT+i1I2FnuK1
B1RHBTvP3QhZq4Zo087+v6Bb/Ft7i+72bS/ZwEvZZqs+vpkBwedAqhwG90VySJdL
NwVLieqqGwYOKiTFrtO3xi+8cd6D9EySftfsJVXd1RbdRP062Ks9M6XRJVlNMjpV
peLgN/bAT4E3IvpPPYIlxhkL2ucsotXyV7OgUAFiw+VaMkkToH5BUOuyEd8ZRH6i
pPj9YghGtOHYESTApcdtHWrvwuQMEzjpA8nsOR5HT99CHfJjROEgxfl4llqSf9d5
mRmCmSBCOEO8
=ay07
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index b896541ff7f3..0abbbc810204 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+mpv (0.33.1-1) unstable; urgency=medium
+
+  * New upstream release. Closes: #982249.
+  * d/patches: remove fix for CVE-2021-30145, applied upstream.
+  * d/patches: remove ffmpeg ABI fix, applied upstream.
+  * d/patches: remove Lua security fix, applied upstream.
+  * d/rules: don't build with SMB client support (removed upstream).
+  * d/rules: don't build with sndio support (removed upstream).
+  * d/symbols: update.
+
+ -- Vincent Bernat <ber...@debian.org>  Wed, 25 Aug 2021 09:20:59 +0200
+
 mpv (0.32.0-3) unstable; urgency=medium
 
   * debian/patches: Apply upstream fix for CVE-2021-30145 (Closes: #986839)
diff --git a/debian/control b/debian/control
index a36186f0fcb2..7724677d81c1 100644
--- a/debian/control
+++ b/debian/control
@@ -31,8 +31,6 @@ Build-Depends:
  libpulse-dev,
  librubberband-dev,
  libsdl2-dev,
- libsmbclient-dev,
- libsndio-dev (>= 1.0.1),
  libswscale-dev (>= 7:4.0),
  libuchardet-dev,
  libva-dev,
diff --git a/debian/copyright b/debian/copyright
index df8b0152d1e1..bcce6925433f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,21 +1,11 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: mpv
 Source: https://github.com/mpv-player/mpv/releases
-Comment:
- While the mpv source code is distributed mostly under the GPL-2+ or LGPL-2.1+
- licenses, the binaries are distributed under the GPL-3+ license because they
- are linked to the GPL-3+ libsmbclient library.
 
 Files: *
 Copyright: 2000-2020, mpv/MPlayer/mplayer2 projects
 License: LGPL-2.1+
 
-Files: audio/out/ao_sndio.c
-Copyright:
- 2008, Alexandre Ratchov <a...@caoua.org>
- 2013, Christian Neukirchen <chneukirc...@gmail.com>
-License: ISC
-
 Files: debian/*
 Copyright:
  2013 Alessandro Ghedini <gh...@debian.org>
@@ -58,7 +48,6 @@ Files:
  stream/stream_cdda.c
  stream/stream_dvb.c
  stream/stream_dvdnav.c
- stream/stream_smb.c
  video/out/vo_caca.c
  video/out/vo_direct3d.c
  video/out/vo_vaapi.c
diff --git a/debian/libmpv1.symbols b/debian/libmpv1.symbols
index c517c57b9fe6..fffa129ac311 100644
--- a/debian/libmpv1.symbols
+++ b/debian/libmpv1.symbols
@@ -2,6 +2,7 @@ libmpv.so.1 libmpv1 #MINVER#
 * Build-Depends-Package: libmpv-dev
  mpv_abort_async_command@Base 0.30.0
  mpv_client_api_version@Base 0.4.0
+ mpv_client_id@Base 0.33.1-1
  mpv_client_name@Base 0.4.0
  mpv_command@Base 0.4.0
  mpv_command_async@Base 0.4.0
@@ -16,6 +17,7 @@ libmpv.so.1 libmpv1 #MINVER#
  mpv_detach_destroy@Base 0.4.0
  mpv_error_string@Base 0.4.0
  mpv_event_name@Base 0.4.0
+ mpv_event_to_node@Base 0.33.1-1
  mpv_free@Base 0.4.0
  mpv_free_node_contents@Base 0.4.0
  mpv_get_property@Base 0.4.0
diff --git 
a/debian/patches/0006-demux_mf-improve-format-string-processing.patch 
b/debian/patches/0006-demux_mf-improve-format-string-processing.patch
deleted file mode 100644
index 420b3bfa487e..000000000000
--- a/debian/patches/0006-demux_mf-improve-format-string-processing.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: "Avi Halachmi (:avih)" <avih...@yahoo.com>
-Date: Sun, 25 Apr 2021 19:46:36 +0300
-Subject: demux_mf: improve format string processing
-
-Before this commit, the user could specify a printf format string
-which wasn't verified, and could result in:
-- Undefined behavior due to missing or non-matching arguments.
-- Buffer overflow due to untested result length.
-
-The offending code was added at commit 103a9609 (2002, mplayer svn):
-git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@4566 
b3059339-0415-0410-9bf9-f77b7e298cf2
-
-It moved around but was not modified meaningfully until now.
-
-Now we reject all conversion specifiers at the format except %%
-and a simple subset of the valid specifiers. Also, we now use
-snprintf to avoid buffer overflow.
-
-The format string is provided by the user as part of mf:// URI.
-
-Report and initial patch by Stefan Schiller.
-Patch reviewed by @jeeb, @sfan5, Stefan Schiller.
-
-(cherry picked from commit cb3fa04bcb2ba9e0d25788480359157208c13e0b)
----
- demux/demux_mf.c | 39 +++++++++++++++++++++++++++++++++++++--
- 1 file changed, 37 insertions(+), 2 deletions(-)
-
-diff --git a/demux/demux_mf.c b/demux/demux_mf.c
-index ef5a513..7148862 100644
---- a/demux/demux_mf.c
-+++ b/demux/demux_mf.c
-@@ -121,7 +121,8 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct 
demuxer *d, char *filename
-         goto exit_mf;
-     }
- 
--    char *fname = talloc_size(mf, strlen(filename) + 32);
-+    size_t fname_avail = strlen(filename) + 32;
-+    char *fname = talloc_size(mf, fname_avail);
- 
- #if HAVE_GLOB
-     if (!strchr(filename, '%')) {
-@@ -148,10 +149,44 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct 
demuxer *d, char *filename
-     }
- #endif
- 
-+    // We're using arbitrary user input as printf format with 1 int argument.
-+    // Any format which uses exactly 1 int argument would be valid, but for
-+    // simplicity we reject all conversion specifiers except %% and simple
-+    // integer specifier: %[.][NUM]d where NUM is 1-3 digits (%.d is valid)
-+    const char *f = filename;
-+    int MAXDIGS = 3, nspec = 0, bad_spec = 0, c;
-+
-+    while (nspec < 2 && (c = *f++)) {
-+        if (c != '%')
-+            continue;
-+        if (*f != '%') {
-+            nspec++;  // conversion specifier which isn't %%
-+            if (*f == '.')
-+                f++;
-+            for (int ndig = 0; mp_isdigit(*f) && ndig < MAXDIGS; ndig++, f++)
-+                /* no-op */;
-+            if (*f != 'd') {
-+                bad_spec++;  // not int, or beyond our validation capacity
-+                break;
-+            }
-+        }
-+        // *f is '%' or 'd'
-+        f++;
-+    }
-+
-+    // nspec==0 (zero specifiers) is rejected because fname wouldn't advance.
-+    if (bad_spec || nspec != 1) {
-+        mp_err(log, "unsupported expr format: '%s'\n", filename);
-+        goto exit_mf;
-+    }
-+
-     mp_info(log, "search expr: %s\n", filename);
- 
-     while (error_count < 5) {
--        sprintf(fname, filename, count++);
-+        if (snprintf(fname, fname_avail, filename, count++) >= fname_avail) {
-+            mp_err(log, "format result too long: '%s'\n", filename);
-+            goto exit_mf;
-+        }
-         if (!mp_path_exists(fname)) {
-             error_count++;
-             mp_verbose(log, "file not found: '%s'\n", fname);
diff --git a/debian/patches/05_add-keywords.patch 
b/debian/patches/05_add-keywords.patch
index 91b0883943db..492721356925 100644
--- a/debian/patches/05_add-keywords.patch
+++ b/debian/patches/05_add-keywords.patch
@@ -6,5 +6,5 @@ Author: Mateusz Łukasik <mat...@linuxmint.pl>
 @@ -34,3 +34,4 @@ Terminal=false
  Categories=AudioVideo;Audio;Video;Player;TV;
  
MimeType=application/ogg;application/x-ogg;application/mxf;application/sdp;application/smil;application/x-smil;application/streamingmedia;application/x-streamingmedia;application/vnd.rn-realmedia;application/vnd.rn-realmedia-vbr;audio/aac;audio/x-aac;audio/vnd.dolby.heaac.1;audio/vnd.dolby.heaac.2;audio/aiff;audio/x-aiff;audio/m4a;audio/x-m4a;application/x-extension-m4a;audio/mp1;audio/x-mp1;audio/mp2;audio/x-mp2;audio/mp3;audio/x-mp3;audio/mpeg;audio/mpeg2;audio/mpeg3;audio/mpegurl;audio/x-mpegurl;audio/mpg;audio/x-mpg;audio/rn-mpeg;audio/musepack;audio/x-musepack;audio/ogg;audio/scpls;audio/x-scpls;audio/vnd.rn-realaudio;audio/wav;audio/x-pn-wav;audio/x-pn-windows-pcm;audio/x-realaudio;audio/x-pn-realaudio;audio/x-ms-wma;audio/x-pls;audio/x-wav;video/mpeg;video/x-mpeg2;video/x-mpeg3;video/mp4v-es;video/x-m4v;video/mp4;application/x-extension-mp4;video/divx;video/vnd.divx;video/msvideo;video/x-msvideo;video/ogg;video/quicktime;video/vnd.rn-realvideo;video/x-ms-afs;video/x-ms-asf;audio/x-ms-asf;application/vnd.ms-asf;video/x-ms-wmv;video/x-ms-wmx;video/x-ms-wvxvideo;video/x-avi;video/avi;video/x-flic;video/fli;video/x-flc;video/flv;video/x-flv;video/x-theora;video/x-theora+ogg;video/x-matroska;video/mkv;audio/x-matroska;application/x-matroska;video/webm;audio/webm;audio/vorbis;audio/x-vorbis;audio/x-vorbis+ogg;video/x-ogm;video/x-ogm+ogg;application/x-ogm;application/x-ogm-audio;application/x-ogm-video;application/x-shorten;audio/x-shorten;audio/x-ape;audio/x-wavpack;audio/x-tta;audio/AMR;audio/ac3;audio/eac3;audio/amr-wb;video/mp2t;audio/flac;audio/mp4;application/x-mpegurl;video/vnd.mpegurl;application/vnd.apple.mpegurl;audio/x-pn-au;video/3gp;video/3gpp;video/3gpp2;audio/3gpp;audio/3gpp2;video/dv;audio/dv;audio/opus;audio/vnd.dts;audio/vnd.dts.hd;audio/x-adpcm;application/x-cue;audio/m3u;
- X-KDE-Protocols=ftp,http,https,mms,rtmp,rtsp,sftp,smb
+ X-KDE-Protocols=ftp,http,https,mms,rtmp,rtsp,sftp,smb,srt
 +Keywords=mpv;media;player;video;audio;tv;
diff --git a/debian/patches/06_ffmpeg-abi.patch 
b/debian/patches/06_ffmpeg-abi.patch
deleted file mode 100644
index 8ebac649257d..000000000000
--- a/debian/patches/06_ffmpeg-abi.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Description: Suppress ffmpeg version mismatch error
- Requiring an exact ffmpeg version is usually not a good idea in a binary
- distribution because:
- - All FFmpeg security updates require a subsequent binNMU of mpv.
- - Debian generated dependencies do not capture this dependency well (at least
-   without extra hacking).
- - The requirement itself usually indicates an ABI violation.
- For these reasons, remove the check and assume the current FFmpeg version is
- compatible.
-Author: James Cowgill <jcowg...@debian.org>
-Bug-Debian: https://bugs.debian.org/831537
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
---- a/player/main.c
-+++ b/player/main.c
-@@ -387,18 +387,6 @@ int mp_initialize(struct MPContext *mpct
-     if (handle_help_options(mpctx))
-         return 1; // help
- 
--    if (!print_libav_versions(mp_null_log, 0)) {
--        // This happens only if the runtime FFmpeg version is lower than the
--        // build version, which will not work according to FFmpeg's ABI rules.
--        // This does not happen if runtime FFmpeg is newer, which is 
compatible.
--        print_libav_versions(mpctx->log, MSGL_FATAL);
--        MP_FATAL(mpctx, "\nmpv was compiled against an incompatible version 
of "
--                 "FFmpeg/Libav than the shared\nlibrary it is linked against. 
"
--                 "This is most likely a broken build and could\nresult in "
--                 "misbehavior and crashes.\n\nThis is a broken build.\n");
--        return -1;
--    }
--
- #if HAVE_TESTS
-     if (opts->test_mode && opts->test_mode[0])
-         return run_tests(mpctx) ? 1 : -1;
diff --git a/debian/patches/07_io-stdin-used.patch 
b/debian/patches/07_io-stdin-used.patch
index dccf57bb878d..93139a4a61df 100644
--- a/debian/patches/07_io-stdin-used.patch
+++ b/debian/patches/07_io-stdin-used.patch
@@ -13,4 +13,4 @@ This patch header follows DEP-3: 
http://dep.debian.net/deps/dep3/
 +_IO_stdin_used
  mpv_abort_async_command
  mpv_client_api_version
- mpv_client_name
+ mpv_client_id
diff --git a/debian/patches/08_lua_security.patch 
b/debian/patches/08_lua_security.patch
deleted file mode 100644
index e54b299a4bef..000000000000
--- a/debian/patches/08_lua_security.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 937749b545407aa68b1d15ea5e19a6c23d62da42 Mon Sep 17 00:00:00 2001
-From: astian <ast...@e-nautia.com>
-Date: Mon, 11 Feb 2020 21:08:51 +0000
-Subject: [PATCH] lua: fix unintended code execution vulnerability
-
-Backport of upstream commit cce7062a8a6b6a3b3666aea3ff86db879cba67b6
-("lua: fix highly security relevant arbitrary code execution") to
-release 0.32.0.
-
-Note:  Before release 0.32.0, it used to be that mpv-related scripts
-directories where added to Lua's module-loaders search path.  This
-behaviour was dropped in 0.32.0 (bc1c024ae032).  Later, a similar but
-stricter behaviour was introduced (see da38caff9c0b and b86bfc907f9c).
-The original commit on which this patch is based depended on the new
-behaviour.  This backport retains the 0.32.0 behaviour; all it does is
-filter out relative paths from "package.path" and "package.cpath" for
-all Lua scripts.
----
- player/lua.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
---- a/player/lua.c
-+++ b/player/lua.c
-@@ -273,6 +273,36 @@
-     return 0;
- }
- 
-+static void fuck_lua(lua_State *L, const char *search_path)
-+{
-+    void *tmp = talloc_new(NULL);
-+
-+    lua_getglobal(L, "package"); // package
-+    lua_getfield(L, -1, search_path); // package search_path
-+    bstr path = bstr0(lua_tostring(L, -1));
-+    char *newpath = talloc_strdup(tmp, "");
-+
-+    // Unbelievable but true: Lua loads .lua files AND dynamic libraries from
-+    // the working directory. This is highly security relevant.
-+    // Lua scripts are still supposed to load globally installed libraries, so
-+    // try to get by by filtering out any relative paths.
-+    while (path.len) {
-+        bstr item;
-+        bstr_split_tok(path, ";", &item, &path);
-+        if (bstr_startswith0(item, "/")) {
-+            newpath = talloc_asprintf_append(newpath, "%s%.*s",
-+                                             newpath[0] ? ";" : "",
-+                                             BSTR_P(item));
-+        }
-+    }
-+
-+    lua_pushstring(L, newpath);  // package search_path newpath
-+    lua_setfield(L, -3, search_path); // package search_path
-+    lua_pop(L, 2);  // -
-+
-+    talloc_free(tmp);
-+}
-+
- static int run_lua(lua_State *L)
- {
-     struct script_ctx *ctx = lua_touserdata(L, -1);
-@@ -326,6 +356,10 @@
- 
-     assert(lua_gettop(L) == 0);
- 
-+    fuck_lua(L, "path");
-+    fuck_lua(L, "cpath");
-+    assert(lua_gettop(L) == 0);
-+
-     // run this under an error handler that can do backtraces
-     lua_pushcfunction(L, error_handler); // errf
-     lua_pushcfunction(L, load_scripts); // errf fn
diff --git a/debian/patches/series b/debian/patches/series
index 6494d1756a34..793042262c25 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,3 @@
 03_waf.patch
 05_add-keywords.patch
-06_ffmpeg-abi.patch
 07_io-stdin-used.patch
-08_lua_security.patch
-0006-demux_mf-improve-format-string-processing.patch
diff --git a/debian/rules b/debian/rules
index 49d8fcdcb45b..2ff361e7104a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,9 +20,7 @@ override_dh_auto_configure:
                        --enable-cdda                                   \
                        --enable-dvdnav                                 \
                        --enable-libmpv-shared                          \
-                       --enable-libsmbclient                           \
                        --enable-sdl2                                   \
-                       --enable-sndio                                  \
                        --disable-build-date                            \
                        $(ARCH_CONFIGURE)
 

Reply via email to