Your message dated Sat, 03 Feb 2018 15:18:47 +0000 with message-id <e1ehzaz-000idz...@fasolo.debian.org> and subject line Bug#888654: fixed in mpv 0.27.0-3 has caused the Debian Bug report #888654, regarding mpv: CVE-2018-6360 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888654 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mpv Version: 0.23.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/mpv-player/mpv/issues/5456 Hi, the following vulnerability was published for mpv. CVE-2018-6360[0]: | mpv through 0.28.0 allows remote attackers to execute arbitrary code | via a crafted web site, because it reads HTML documents containing | VIDEO elements, and accepts arbitrary URLs in a src attribute without a | protocol whitelist in player/lua/ytdl_hook.lua. For example, an | av://lavfi:ladspa=file= URL signifies that the product should call | dlopen on a shared object file located at an arbitrary local pathname. | The issue exists because the product does not consider that youtube-dl | can provide a potentially unsafe URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-6360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 [1] https://github.com/mpv-player/mpv/issues/5456 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mpv Source-Version: 0.27.0-3 We believe that the bug you reported is fixed in the latest version of mpv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated mpv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Feb 2018 14:59:20 +0100 Source: mpv Binary: mpv libmpv1 libmpv-dev Architecture: source Version: 0.27.0-3 Distribution: unstable Urgency: high Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: libmpv-dev - video player based on MPlayer/mplayer2 (client library dev files) libmpv1 - video player based on MPlayer/mplayer2 (client library) mpv - video player based on MPlayer/mplayer2 Closes: 888654 Changes: mpv (0.27.0-3) unstable; urgency=high . * debian/patches/09_ytdl-hook-whitelist-protocols.patch: - Add patch which whitelists protocols received from youtube-dl. Fixes CVE-2018-6360. (Closes: #888654) Checksums-Sha1: ade3cfeb669a5fa9b62a52bd58d43f5b2a791219 2862 mpv_0.27.0-3.dsc dacc52a468909f6369d7a3e2b0346e50db4c82f3 106516 mpv_0.27.0-3.debian.tar.xz a5e9df2cc13b162f8f365d6b9e332aef2d27b2a1 8273 mpv_0.27.0-3_source.buildinfo Checksums-Sha256: ae67a4dceb9f9c4e33cd918a5b253e76583ca88c872f1fafd1ef78a5345dd36e 2862 mpv_0.27.0-3.dsc d37995a0ca22027eca5559dbcfc37592335eb70360e68f0307d840af4ef898fe 106516 mpv_0.27.0-3.debian.tar.xz a8b093454a689860b59f6919d1b3f56488ab323d33e13a81f26f3d08d5ed7470 8273 mpv_0.27.0-3_source.buildinfo Files: 1826816c4d4874115ec5a38dcdae3c16 2862 video optional mpv_0.27.0-3.dsc 357795b9b31f2d36a022452550a97fe3 106516 video optional mpv_0.27.0-3.debian.tar.xz 1138f4c38afc17996b41571fe33b0318 8273 video optional mpv_0.27.0-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlp1wKYUHGpjb3dnaWxs QGRlYmlhbi5vcmcACgkQx/FnbeotAe/60hAAnmAerysoI2v/jcW0spJZnq53lZxq GguuOV1lGxh4Q8q+5lwk4dp989a9nZFW0+F3AI3AdosocHXGhdx9fIfk4Ih6RLed 0D6FTMpdHAZadMgcapWKHZpKUlJ2XkW/2P0EL1oB0YCSQja9ET8SGEGPXQo4/bch dSTeas1wTp/6cw4mPgRnNM4sgqScwb958oe6InV7ThO2RNP9a1dVJewuqv2YvIrq T0i1TtsmZn8NcHxUaSh2AhBFjRsr5V8/1hQC7Z6CxOuSySYE6THfpLeq3Gsq5XkH Gu4RHHD9WRmGTaYSUbCpJDmJemKCNXp/+g5PGMIr4bf46rQh1QVGWp0dJUj5UvLY PcW3Wh2DYbj/8RMovxvDCZ+opRZt3tXFrt3RRnqZVmM9rwYq9gtoxNQNNwL6sFrO ckLqLXXE5aRuV7HlpQlxpsvG6pIbKavPgLXhssYL39JAfwwo/TgZ/LGJTmS1Fm21 ibgfxP7CpFRMSB6wYb55+ZtDrV8lFPvfD3O75LFnYFoUZPK+71n4vaRtV5C3P7FN yzGSv1/QuxxbvsIWvc/RBomltRmf49sSDnbAd8+q1UjlnjVTVstay+xBNfULTlVi uqwQ89780+lDsAyaTnBQF4UZZYuCYroJVBoAwPUC+A8N9rdsNJkHnDeGkOg06eMU OZQ0MkrwnLCMKY0= =yNpu -----END PGP SIGNATURE-----
--- End Message ---
