Hello community, here is the log from the commit of package mpv for openSUSE:Factory checked in at 2018-02-15 13:25:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mpv (Old) and /work/SRC/openSUSE:Factory/.mpv.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mpv" Thu Feb 15 13:25:56 2018 rev:44 rq:576483 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/mpv/mpv.changes 2018-02-10 18:00:21.687366242 +0100 +++ /work/SRC/openSUSE:Factory/.mpv.new/mpv.changes 2018-02-15 13:25:59.418921067 +0100 @@ -1,0 +2,8 @@ +Wed Feb 14 09:33:34 UTC 2018 - aloi...@gmx.com + +- Update to version 0.27.2 + * This release contains an additional fix for CVE-2018-6360. + Fixes and Minor Enhancements + * ytdl_hook: whitelist subtitle URLs as well (#5456) + +------------------------------------------------------------------- Old: ---- mpv-0.27.1.tar.gz New: ---- mpv-0.27.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mpv.spec ++++++ --- /var/tmp/diff_new_pack.xLWc9M/_old 2018-02-15 13:26:00.338887650 +0100 +++ /var/tmp/diff_new_pack.xLWc9M/_new 2018-02-15 13:26:00.342887505 +0100 @@ -21,7 +21,7 @@ %define _waf_ver 1.9.13 %define _mbc_ver 3.3.16 -%define _mpv_ver 0.27.1 +%define _mpv_ver 0.27.2 %define lname libmpv1 Name: mpv Version: %{_mpv_ver} ++++++ mpv-0.27.1.tar.gz -> mpv-0.27.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpv-0.27.1/RELEASE_NOTES new/mpv-0.27.2/RELEASE_NOTES --- old/mpv-0.27.1/RELEASE_NOTES 2018-02-10 13:45:10.000000000 +0100 +++ new/mpv-0.27.2/RELEASE_NOTES 2018-02-13 02:42:29.000000000 +0100 @@ -1,7 +1,16 @@ +Release 0.27.2 +============== + +This release contains an additional fix for CVE-2018-6360. + +Fixes and Minor Enhancements +---------------------------- +- ytdl_hook: whitelist subtitle URLs as well (#5456) + Release 0.27.1 ============== -This releaes fixes CVE-2018-6360. +This release fixes CVE-2018-6360. Fixes and Minor Enhancements ---------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpv-0.27.1/VERSION new/mpv-0.27.2/VERSION --- old/mpv-0.27.1/VERSION 2018-02-10 13:45:10.000000000 +0100 +++ new/mpv-0.27.2/VERSION 2018-02-13 02:42:29.000000000 +0100 @@ -1 +1 @@ -0.27.1 +0.27.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mpv-0.27.1/player/lua/ytdl_hook.lua new/mpv-0.27.2/player/lua/ytdl_hook.lua --- old/mpv-0.27.1/player/lua/ytdl_hook.lua 2018-02-10 13:45:10.000000000 +0100 +++ new/mpv-0.27.2/player/lua/ytdl_hook.lua 2018-02-13 02:42:29.000000000 +0100 @@ -270,7 +270,8 @@ if not (sub_info.data == nil) then sub = "memory://"..sub_info.data - elseif not (sub_info.url == nil) then + elseif not (sub_info.url == nil) and + url_is_safe(sub_info.url) then sub = sub_info.url end @@ -468,7 +469,8 @@ local subfile = "edl://" for i, entry in pairs(json.entries) do if not (entry.requested_subtitles == nil) and - not (entry.requested_subtitles[j] == nil) then + not (entry.requested_subtitles[j] == nil) and + url_is_safe(entry.requested_subtitles[j].url) then subfile = subfile..edl_escape(entry.requested_subtitles[j].url) else subfile = subfile..edl_escape("memory://WEBVTT")