Package: mpv Followup-For: Bug #982249 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hey! Here is a patch to update to 0.33.1. If you prefer to pull directly from Salsa, the branches are available on my fork: https://salsa.debian.org/bernat/mpv - -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental-debug'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.13.0-trunk-amd64 (SMP w/12 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mpv depends on: ii libarchive13 3.4.3-2+b1 ii libasound2 1.2.5.1-1 ii libass9 1:0.15.1-2 ii libavcodec58 7:4.4-5 ii libavdevice58 7:4.4-5 ii libavfilter7 7:4.4-5 ii libavformat58 7:4.4-5 ii libavutil56 7:4.4-5 ii libbluray2 1:1.3.0-3 ii libc6 2.31-17 ii libcaca0 0.99.beta19-2.2 ii libcdio-cdda2 10.2+2.0.0-1+b2 ii libcdio-paranoia2 10.2+2.0.0-1+b2 ii libcdio19 2.1.0-2 ii libdrm2 2.4.107-2 ii libdvdnav4 6.1.1-1 ii libegl1 1.3.2-1 ii libgbm1 21.2.1-1 ii libjack-jackd2-0 [libjack-0.125] 1.9.17~dfsg-1 ii libjpeg62-turbo 1:2.0.6-4 ii liblcms2-2 2.12~rc1-2 ii liblua5.2-0 5.2.4-1.1+b3 ii libpulse0 15.0+dfsg1-2 ii librubberband2 1.9.0-1 ii libsdl2-2.0-0 2.0.14+dfsg2-3 ii libswresample3 7:4.4-5 ii libswscale5 7:4.4-5 ii libuchardet0 0.0.7-1 ii libva-drm2 2.12.0-2 ii libva-wayland2 2.12.0-2 ii libva-x11-2 2.12.0-2 ii libva2 2.12.0-2 ii libvdpau1 1.4-3 ii libwayland-client0 1.19.0-2 ii libwayland-cursor0 1.19.0-2 ii libwayland-egl1 1.19.0-2 ii libx11-6 2:1.7.2-1 ii libxext6 2:1.3.3-1.1 ii libxinerama1 2:1.1.4-2 ii libxkbcommon0 1.0.3-2 ii libxrandr2 2:1.5.1-1 ii libxss1 1:1.2.3-1 ii libxv1 2:1.0.11-1 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages mpv recommends: ii xdg-utils 1.1.3-4.1 ii youtube-dl 2021.06.06-1 mpv suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmEl9TUSHGJlcm5hdEBk ZWJpYW4ub3JnAAoJEJWkL+g1NSX5KEMQAJtafIg14KBpg95jlrsgsIQxym5SHT9+ 6n8hqgFFuzwZLRjfEli4I8Xhjjn64KQ0pby2kGsXYsZcO1BEwfjiwb+TQzxTKmA2 4lUWiyVwBUhaog61/GAVEkrnuOjk1y13+jFTF4zl4TeU0ZgtGZ6jlBNOqVPFCdSf JI9PtwBAkkmBKU5uHihfKvLeAhtKKzOMY/6jPIXP5+LNWUV3s65Bzit98shynE2w zIxEQNvNHG3DSwhzwwb/VKgvNXCWHO21CFaPPK7bEbLbGj5TevL9Cw1hCRPP5gIF kWPGuUAXEZfbT1sJbGt47kx1aB5acPYPOOhPtJvVGgFEwk0YD+p7gjsdEqVgvRw+ YwBqOnIMFIIDJ/bQ/cKvHOLFOLa+QK/YAyaIw7FA3bG7KN8XcEJGUT+i1I2FnuK1 B1RHBTvP3QhZq4Zo087+v6Bb/Ft7i+72bS/ZwEvZZqs+vpkBwedAqhwG90VySJdL NwVLieqqGwYOKiTFrtO3xi+8cd6D9EySftfsJVXd1RbdRP062Ks9M6XRJVlNMjpV peLgN/bAT4E3IvpPPYIlxhkL2ucsotXyV7OgUAFiw+VaMkkToH5BUOuyEd8ZRH6i pPj9YghGtOHYESTApcdtHWrvwuQMEzjpA8nsOR5HT99CHfJjROEgxfl4llqSf9d5 mRmCmSBCOEO8 =ay07 -----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog index b896541ff7f3..0abbbc810204 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +mpv (0.33.1-1) unstable; urgency=medium + + * New upstream release. Closes: #982249. + * d/patches: remove fix for CVE-2021-30145, applied upstream. + * d/patches: remove ffmpeg ABI fix, applied upstream. + * d/patches: remove Lua security fix, applied upstream. + * d/rules: don't build with SMB client support (removed upstream). + * d/rules: don't build with sndio support (removed upstream). + * d/symbols: update. + + -- Vincent Bernat <ber...@debian.org> Wed, 25 Aug 2021 09:20:59 +0200 + mpv (0.32.0-3) unstable; urgency=medium * debian/patches: Apply upstream fix for CVE-2021-30145 (Closes: #986839) diff --git a/debian/control b/debian/control index a36186f0fcb2..7724677d81c1 100644 --- a/debian/control +++ b/debian/control @@ -31,8 +31,6 @@ Build-Depends: libpulse-dev, librubberband-dev, libsdl2-dev, - libsmbclient-dev, - libsndio-dev (>= 1.0.1), libswscale-dev (>= 7:4.0), libuchardet-dev, libva-dev, diff --git a/debian/copyright b/debian/copyright index df8b0152d1e1..bcce6925433f 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,21 +1,11 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: mpv Source: https://github.com/mpv-player/mpv/releases -Comment: - While the mpv source code is distributed mostly under the GPL-2+ or LGPL-2.1+ - licenses, the binaries are distributed under the GPL-3+ license because they - are linked to the GPL-3+ libsmbclient library. Files: * Copyright: 2000-2020, mpv/MPlayer/mplayer2 projects License: LGPL-2.1+ -Files: audio/out/ao_sndio.c -Copyright: - 2008, Alexandre Ratchov <a...@caoua.org> - 2013, Christian Neukirchen <chneukirc...@gmail.com> -License: ISC - Files: debian/* Copyright: 2013 Alessandro Ghedini <gh...@debian.org> @@ -58,7 +48,6 @@ Files: stream/stream_cdda.c stream/stream_dvb.c stream/stream_dvdnav.c - stream/stream_smb.c video/out/vo_caca.c video/out/vo_direct3d.c video/out/vo_vaapi.c diff --git a/debian/libmpv1.symbols b/debian/libmpv1.symbols index c517c57b9fe6..fffa129ac311 100644 --- a/debian/libmpv1.symbols +++ b/debian/libmpv1.symbols @@ -2,6 +2,7 @@ libmpv.so.1 libmpv1 #MINVER# * Build-Depends-Package: libmpv-dev mpv_abort_async_command@Base 0.30.0 mpv_client_api_version@Base 0.4.0 + mpv_client_id@Base 0.33.1-1 mpv_client_name@Base 0.4.0 mpv_command@Base 0.4.0 mpv_command_async@Base 0.4.0 @@ -16,6 +17,7 @@ libmpv.so.1 libmpv1 #MINVER# mpv_detach_destroy@Base 0.4.0 mpv_error_string@Base 0.4.0 mpv_event_name@Base 0.4.0 + mpv_event_to_node@Base 0.33.1-1 mpv_free@Base 0.4.0 mpv_free_node_contents@Base 0.4.0 mpv_get_property@Base 0.4.0 diff --git a/debian/patches/0006-demux_mf-improve-format-string-processing.patch b/debian/patches/0006-demux_mf-improve-format-string-processing.patch deleted file mode 100644 index 420b3bfa487e..000000000000 --- a/debian/patches/0006-demux_mf-improve-format-string-processing.patch +++ /dev/null @@ -1,88 +0,0 @@ -From: "Avi Halachmi (:avih)" <avih...@yahoo.com> -Date: Sun, 25 Apr 2021 19:46:36 +0300 -Subject: demux_mf: improve format string processing - -Before this commit, the user could specify a printf format string -which wasn't verified, and could result in: -- Undefined behavior due to missing or non-matching arguments. -- Buffer overflow due to untested result length. - -The offending code was added at commit 103a9609 (2002, mplayer svn): -git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@4566 b3059339-0415-0410-9bf9-f77b7e298cf2 - -It moved around but was not modified meaningfully until now. - -Now we reject all conversion specifiers at the format except %% -and a simple subset of the valid specifiers. Also, we now use -snprintf to avoid buffer overflow. - -The format string is provided by the user as part of mf:// URI. - -Report and initial patch by Stefan Schiller. -Patch reviewed by @jeeb, @sfan5, Stefan Schiller. - -(cherry picked from commit cb3fa04bcb2ba9e0d25788480359157208c13e0b) ---- - demux/demux_mf.c | 39 +++++++++++++++++++++++++++++++++++++-- - 1 file changed, 37 insertions(+), 2 deletions(-) - -diff --git a/demux/demux_mf.c b/demux/demux_mf.c -index ef5a513..7148862 100644 ---- a/demux/demux_mf.c -+++ b/demux/demux_mf.c -@@ -121,7 +121,8 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename - goto exit_mf; - } - -- char *fname = talloc_size(mf, strlen(filename) + 32); -+ size_t fname_avail = strlen(filename) + 32; -+ char *fname = talloc_size(mf, fname_avail); - - #if HAVE_GLOB - if (!strchr(filename, '%')) { -@@ -148,10 +149,44 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename - } - #endif - -+ // We're using arbitrary user input as printf format with 1 int argument. -+ // Any format which uses exactly 1 int argument would be valid, but for -+ // simplicity we reject all conversion specifiers except %% and simple -+ // integer specifier: %[.][NUM]d where NUM is 1-3 digits (%.d is valid) -+ const char *f = filename; -+ int MAXDIGS = 3, nspec = 0, bad_spec = 0, c; -+ -+ while (nspec < 2 && (c = *f++)) { -+ if (c != '%') -+ continue; -+ if (*f != '%') { -+ nspec++; // conversion specifier which isn't %% -+ if (*f == '.') -+ f++; -+ for (int ndig = 0; mp_isdigit(*f) && ndig < MAXDIGS; ndig++, f++) -+ /* no-op */; -+ if (*f != 'd') { -+ bad_spec++; // not int, or beyond our validation capacity -+ break; -+ } -+ } -+ // *f is '%' or 'd' -+ f++; -+ } -+ -+ // nspec==0 (zero specifiers) is rejected because fname wouldn't advance. -+ if (bad_spec || nspec != 1) { -+ mp_err(log, "unsupported expr format: '%s'\n", filename); -+ goto exit_mf; -+ } -+ - mp_info(log, "search expr: %s\n", filename); - - while (error_count < 5) { -- sprintf(fname, filename, count++); -+ if (snprintf(fname, fname_avail, filename, count++) >= fname_avail) { -+ mp_err(log, "format result too long: '%s'\n", filename); -+ goto exit_mf; -+ } - if (!mp_path_exists(fname)) { - error_count++; - mp_verbose(log, "file not found: '%s'\n", fname); diff --git a/debian/patches/05_add-keywords.patch b/debian/patches/05_add-keywords.patch index 91b0883943db..492721356925 100644 --- a/debian/patches/05_add-keywords.patch +++ b/debian/patches/05_add-keywords.patch @@ -6,5 +6,5 @@ Author: Mateusz Ĺukasik <mat...@linuxmint.pl> @@ -34,3 +34,4 @@ Terminal=false Categories=AudioVideo;Audio;Video;Player;TV; MimeType=application/ogg;application/x-ogg;application/mxf;application/sdp;application/smil;application/x-smil;application/streamingmedia;application/x-streamingmedia;application/vnd.rn-realmedia;application/vnd.rn-realmedia-vbr;audio/aac;audio/x-aac;audio/vnd.dolby.heaac.1;audio/vnd.dolby.heaac.2;audio/aiff;audio/x-aiff;audio/m4a;audio/x-m4a;application/x-extension-m4a;audio/mp1;audio/x-mp1;audio/mp2;audio/x-mp2;audio/mp3;audio/x-mp3;audio/mpeg;audio/mpeg2;audio/mpeg3;audio/mpegurl;audio/x-mpegurl;audio/mpg;audio/x-mpg;audio/rn-mpeg;audio/musepack;audio/x-musepack;audio/ogg;audio/scpls;audio/x-scpls;audio/vnd.rn-realaudio;audio/wav;audio/x-pn-wav;audio/x-pn-windows-pcm;audio/x-realaudio;audio/x-pn-realaudio;audio/x-ms-wma;audio/x-pls;audio/x-wav;video/mpeg;video/x-mpeg2;video/x-mpeg3;video/mp4v-es;video/x-m4v;video/mp4;application/x-extension-mp4;video/divx;video/vnd.divx;video/msvideo;video/x-msvideo;video/ogg;video/quicktime;video/vnd.rn-realvideo;video/x-ms-afs;video/x-ms-asf;audio/x-ms-asf;application/vnd.ms-asf;video/x-ms-wmv;video/x-ms-wmx;video/x-ms-wvxvideo;video/x-avi;video/avi;video/x-flic;video/fli;video/x-flc;video/flv;video/x-flv;video/x-theora;video/x-theora+ogg;video/x-matroska;video/mkv;audio/x-matroska;application/x-matroska;video/webm;audio/webm;audio/vorbis;audio/x-vorbis;audio/x-vorbis+ogg;video/x-ogm;video/x-ogm+ogg;application/x-ogm;application/x-ogm-audio;application/x-ogm-video;application/x-shorten;audio/x-shorten;audio/x-ape;audio/x-wavpack;audio/x-tta;audio/AMR;audio/ac3;audio/eac3;audio/amr-wb;video/mp2t;audio/flac;audio/mp4;application/x-mpegurl;video/vnd.mpegurl;application/vnd.apple.mpegurl;audio/x-pn-au;video/3gp;video/3gpp;video/3gpp2;audio/3gpp;audio/3gpp2;video/dv;audio/dv;audio/opus;audio/vnd.dts;audio/vnd.dts.hd;audio/x-adpcm;application/x-cue;audio/m3u; - X-KDE-Protocols=ftp,http,https,mms,rtmp,rtsp,sftp,smb + X-KDE-Protocols=ftp,http,https,mms,rtmp,rtsp,sftp,smb,srt +Keywords=mpv;media;player;video;audio;tv; diff --git a/debian/patches/06_ffmpeg-abi.patch b/debian/patches/06_ffmpeg-abi.patch deleted file mode 100644 index 8ebac649257d..000000000000 --- a/debian/patches/06_ffmpeg-abi.patch +++ /dev/null @@ -1,34 +0,0 @@ -Description: Suppress ffmpeg version mismatch error - Requiring an exact ffmpeg version is usually not a good idea in a binary - distribution because: - - All FFmpeg security updates require a subsequent binNMU of mpv. - - Debian generated dependencies do not capture this dependency well (at least - without extra hacking). - - The requirement itself usually indicates an ABI violation. - For these reasons, remove the check and assume the current FFmpeg version is - compatible. -Author: James Cowgill <jcowg...@debian.org> -Bug-Debian: https://bugs.debian.org/831537 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ---- a/player/main.c -+++ b/player/main.c -@@ -387,18 +387,6 @@ int mp_initialize(struct MPContext *mpct - if (handle_help_options(mpctx)) - return 1; // help - -- if (!print_libav_versions(mp_null_log, 0)) { -- // This happens only if the runtime FFmpeg version is lower than the -- // build version, which will not work according to FFmpeg's ABI rules. -- // This does not happen if runtime FFmpeg is newer, which is compatible. -- print_libav_versions(mpctx->log, MSGL_FATAL); -- MP_FATAL(mpctx, "\nmpv was compiled against an incompatible version of " -- "FFmpeg/Libav than the shared\nlibrary it is linked against. " -- "This is most likely a broken build and could\nresult in " -- "misbehavior and crashes.\n\nThis is a broken build.\n"); -- return -1; -- } -- - #if HAVE_TESTS - if (opts->test_mode && opts->test_mode[0]) - return run_tests(mpctx) ? 1 : -1; diff --git a/debian/patches/07_io-stdin-used.patch b/debian/patches/07_io-stdin-used.patch index dccf57bb878d..93139a4a61df 100644 --- a/debian/patches/07_io-stdin-used.patch +++ b/debian/patches/07_io-stdin-used.patch @@ -13,4 +13,4 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +_IO_stdin_used mpv_abort_async_command mpv_client_api_version - mpv_client_name + mpv_client_id diff --git a/debian/patches/08_lua_security.patch b/debian/patches/08_lua_security.patch deleted file mode 100644 index e54b299a4bef..000000000000 --- a/debian/patches/08_lua_security.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 937749b545407aa68b1d15ea5e19a6c23d62da42 Mon Sep 17 00:00:00 2001 -From: astian <ast...@e-nautia.com> -Date: Mon, 11 Feb 2020 21:08:51 +0000 -Subject: [PATCH] lua: fix unintended code execution vulnerability - -Backport of upstream commit cce7062a8a6b6a3b3666aea3ff86db879cba67b6 -("lua: fix highly security relevant arbitrary code execution") to -release 0.32.0. - -Note: Before release 0.32.0, it used to be that mpv-related scripts -directories where added to Lua's module-loaders search path. This -behaviour was dropped in 0.32.0 (bc1c024ae032). Later, a similar but -stricter behaviour was introduced (see da38caff9c0b and b86bfc907f9c). -The original commit on which this patch is based depended on the new -behaviour. This backport retains the 0.32.0 behaviour; all it does is -filter out relative paths from "package.path" and "package.cpath" for -all Lua scripts. ---- - player/lua.c | 34 ++++++++++++++++++++++++++++++++++ - 1 file changed, 34 insertions(+) - ---- a/player/lua.c -+++ b/player/lua.c -@@ -273,6 +273,36 @@ - return 0; - } - -+static void fuck_lua(lua_State *L, const char *search_path) -+{ -+ void *tmp = talloc_new(NULL); -+ -+ lua_getglobal(L, "package"); // package -+ lua_getfield(L, -1, search_path); // package search_path -+ bstr path = bstr0(lua_tostring(L, -1)); -+ char *newpath = talloc_strdup(tmp, ""); -+ -+ // Unbelievable but true: Lua loads .lua files AND dynamic libraries from -+ // the working directory. This is highly security relevant. -+ // Lua scripts are still supposed to load globally installed libraries, so -+ // try to get by by filtering out any relative paths. -+ while (path.len) { -+ bstr item; -+ bstr_split_tok(path, ";", &item, &path); -+ if (bstr_startswith0(item, "/")) { -+ newpath = talloc_asprintf_append(newpath, "%s%.*s", -+ newpath[0] ? ";" : "", -+ BSTR_P(item)); -+ } -+ } -+ -+ lua_pushstring(L, newpath); // package search_path newpath -+ lua_setfield(L, -3, search_path); // package search_path -+ lua_pop(L, 2); // - -+ -+ talloc_free(tmp); -+} -+ - static int run_lua(lua_State *L) - { - struct script_ctx *ctx = lua_touserdata(L, -1); -@@ -326,6 +356,10 @@ - - assert(lua_gettop(L) == 0); - -+ fuck_lua(L, "path"); -+ fuck_lua(L, "cpath"); -+ assert(lua_gettop(L) == 0); -+ - // run this under an error handler that can do backtraces - lua_pushcfunction(L, error_handler); // errf - lua_pushcfunction(L, load_scripts); // errf fn diff --git a/debian/patches/series b/debian/patches/series index 6494d1756a34..793042262c25 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,6 +1,3 @@ 03_waf.patch 05_add-keywords.patch -06_ffmpeg-abi.patch 07_io-stdin-used.patch -08_lua_security.patch -0006-demux_mf-improve-format-string-processing.patch diff --git a/debian/rules b/debian/rules index 49d8fcdcb45b..2ff361e7104a 100755 --- a/debian/rules +++ b/debian/rules @@ -20,9 +20,7 @@ override_dh_auto_configure: --enable-cdda \ --enable-dvdnav \ --enable-libmpv-shared \ - --enable-libsmbclient \ --enable-sdl2 \ - --enable-sndio \ --disable-build-date \ $(ARCH_CONFIGURE)
