Hello community,
here is the log from the commit of package mpv for openSUSE:Factory checked in
at 2018-02-15 13:25:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mpv (Old)
and /work/SRC/openSUSE:Factory/.mpv.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mpv"
Thu Feb 15 13:25:56 2018 rev:44 rq:576483 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Factory/mpv/mpv.changes 2018-02-10 18:00:21.687366242
+0100
+++ /work/SRC/openSUSE:Factory/.mpv.new/mpv.changes 2018-02-15
13:25:59.418921067 +0100
@@ -1,0 +2,8 @@
+Wed Feb 14 09:33:34 UTC 2018 - aloi...@gmx.com
+
+- Update to version 0.27.2
+ * This release contains an additional fix for CVE-2018-6360.
+ Fixes and Minor Enhancements
+ * ytdl_hook: whitelist subtitle URLs as well (#5456)
+
+-------------------------------------------------------------------
Old:
----
mpv-0.27.1.tar.gz
New:
----
mpv-0.27.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mpv.spec ++++++
--- /var/tmp/diff_new_pack.xLWc9M/_old 2018-02-15 13:26:00.338887650 +0100
+++ /var/tmp/diff_new_pack.xLWc9M/_new 2018-02-15 13:26:00.342887505 +0100
@@ -21,7 +21,7 @@
%define _waf_ver 1.9.13
%define _mbc_ver 3.3.16
-%define _mpv_ver 0.27.1
+%define _mpv_ver 0.27.2
%define lname libmpv1
Name: mpv
Version: %{_mpv_ver}
++++++ mpv-0.27.1.tar.gz -> mpv-0.27.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mpv-0.27.1/RELEASE_NOTES new/mpv-0.27.2/RELEASE_NOTES
--- old/mpv-0.27.1/RELEASE_NOTES 2018-02-10 13:45:10.000000000 +0100
+++ new/mpv-0.27.2/RELEASE_NOTES 2018-02-13 02:42:29.000000000 +0100
@@ -1,7 +1,16 @@
+Release 0.27.2
+==============
+
+This release contains an additional fix for CVE-2018-6360.
+
+Fixes and Minor Enhancements
+----------------------------
+- ytdl_hook: whitelist subtitle URLs as well (#5456)
+
Release 0.27.1
==============
-This releaes fixes CVE-2018-6360.
+This release fixes CVE-2018-6360.
Fixes and Minor Enhancements
----------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mpv-0.27.1/VERSION new/mpv-0.27.2/VERSION
--- old/mpv-0.27.1/VERSION 2018-02-10 13:45:10.000000000 +0100
+++ new/mpv-0.27.2/VERSION 2018-02-13 02:42:29.000000000 +0100
@@ -1 +1 @@
-0.27.1
+0.27.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mpv-0.27.1/player/lua/ytdl_hook.lua
new/mpv-0.27.2/player/lua/ytdl_hook.lua
--- old/mpv-0.27.1/player/lua/ytdl_hook.lua 2018-02-10 13:45:10.000000000
+0100
+++ new/mpv-0.27.2/player/lua/ytdl_hook.lua 2018-02-13 02:42:29.000000000
+0100
@@ -270,7 +270,8 @@
if not (sub_info.data == nil) then
sub = "memory://"..sub_info.data
- elseif not (sub_info.url == nil) then
+ elseif not (sub_info.url == nil) and
+ url_is_safe(sub_info.url) then
sub = sub_info.url
end
@@ -468,7 +469,8 @@
local subfile = "edl://"
for i, entry in pairs(json.entries) do
if not (entry.requested_subtitles == nil) and
- not (entry.requested_subtitles[j] == nil) then
+ not (entry.requested_subtitles[j] == nil) and
+ url_is_safe(entry.requested_subtitles[j].url)
then
subfile =
subfile..edl_escape(entry.requested_subtitles[j].url)
else
subfile =
subfile..edl_escape("memory://WEBVTT")
