Bug#950816: mpv: unintended code execution vulnerability

[astian]

Control: tags -1 + patch
Control: found -1 mpv/0.29.1-1

FYI, the patch below works for me.

Also, I think the version in stable is also affected.  The code differs
slightly so the patch will need a little tweak.

Cheers.

-- 

>From 937749b545407aa68b1d15ea5e19a6c23d62da42 Mon Sep 17 00:00:00 2001
From: astian 
Date: Mon, 11 Feb 2020 21:08:51 +
Subject: [PATCH] lua: fix unintended code execution vulnerability

Backport of upstream commit cce7062a8a6b6a3b3666aea3ff86db879cba67b6
("lua: fix highly security relevant arbitrary code execution") to
release 0.32.0.

Note:  Before release 0.32.0, it used to be that mpv-related scripts
directories where added to Lua's module-loaders search path.  This
behaviour was dropped in 0.32.0 (bc1c024ae032).  Later, a similar but
stricter behaviour was introduced (see da38caff9c0b and b86bfc907f9c).
The original commit on which this patch is based depended on the new
behaviour.  This backport retains the 0.32.0 behaviour; all it does is
filter out relative paths from "package.path" and "package.cpath" for
all Lua scripts.
---
 player/lua.c | 34 ++
 1 file changed, 34 insertions(+)

diff --git a/player/lua.c b/player/lua.c
index 6423861..172ab4e 100644
--- a/player/lua.c
+++ b/player/lua.c
@@ -273,6 +273,36 @@ static int load_scripts(lua_State *L)
 return 0;
 }
 
+static void fuck_lua(lua_State *L, const char *search_path)
+{
+void *tmp = talloc_new(NULL);
+
+lua_getglobal(L, "package"); // package
+lua_getfield(L, -1, search_path); // package search_path
+bstr path = bstr0(lua_tostring(L, -1));
+char *newpath = talloc_strdup(tmp, "");
+
+// Unbelievable but true: Lua loads .lua files AND dynamic libraries from
+// the working directory. This is highly security relevant.
+// Lua scripts are still supposed to load globally installed libraries, so
+// try to get by by filtering out any relative paths.
+while (path.len) {
+bstr item;
+bstr_split_tok(path, ";", , );
+if (bstr_startswith0(item, "/")) {
+newpath = talloc_asprintf_append(newpath, "%s%.*s",
+ newpath[0] ? ";" : "",
+ BSTR_P(item));
+}
+}
+
+lua_pushstring(L, newpath);  // package search_path newpath
+lua_setfield(L, -3, search_path); // package search_path
+lua_pop(L, 2);  // -
+
+talloc_free(tmp);
+}
+
 static int run_lua(lua_State *L)
 {
 struct script_ctx *ctx = lua_touserdata(L, -1);
@@ -326,6 +356,10 @@ static int run_lua(lua_State *L)
 
 assert(lua_gettop(L) == 0);
 
+fuck_lua(L, "path");
+fuck_lua(L, "cpath");
+assert(lua_gettop(L) == 0);
+
 // run this under an error handler that can do backtraces
 lua_pushcfunction(L, error_handler); // errf
 lua_pushcfunction(L, load_scripts); // errf fn
-- 
2.25.0

Bug#950816: mpv: unintended code execution vulnerability

[astian]

Package: mpv
Version: 0.32.0-1
Severity: grave
Tags: security fixed-upstream
Justification: user security hole

Dear Maintainer,

If Lua scripts are enabled (they are by default) and configured for use
(Debian doesn't seem to have any active by default) mpv could end up
loading unintended code (lua scripts/bytecode and/or shared objects)
from the current working directory.

The following upstream commit supposedly fixes this:
https://github.com/mpv-player/mpv/commit/cce7062a8a6b6a3b3666aea3ff86db879cba67b6

Excerpt from the commit message:

  lua: fix highly security relevant arbitrary code execution bug

  It appears Lua's package paths try to load .lua files from the current
  working directory. Not only that, but also shared libraries.

  [...]

  In mpv's case, this is so security relevant, because mpv is normally
  used from the command line, and you will most likely actually change
  into your media directory or whatever with the shell, and play a file
  from there. No, you don't want to load a (probably downloaded) shared
  library from this directory if a script try to load a system lib with
  the same name or so.

  I'm not sure why LUA_PATH_DEFAULT in luaconf.h (both upstream and the
  Debian version) put "./?.lua" at the end, but in any case, trying to
  load a module that doesn't exist nicely lists all package paths in
  order, and confirms it tries to load files from the working directory
  first (anyone can try this). Even if it didn't, this would be
  problematic at best.

  Note that scripts are not sandboxed. They're allowed to load system
  libraries, which is also why we want to keep the non-idiotic parts of
  the package paths.

  [...]

  mpv in default configuration (i.e. no external scripts) is probably not
  affected. All builtin scripts only "require" preloaded modules, which,
  in a stroke of genius by the Lua developers, are highest priority in the
  load order. Otherwise, enjoy your semi-remote code execution bug.

  [...]

Cheers.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mpv depends on:
ii  libarchive13  3.4.0-1+b1
ii  libasound21.2.1.2-2
ii  libass9   1:0.14.0-2
ii  libavcodec58  7:4.2.2-1
ii  libavdevice58 7:4.2.2-1
ii  libavfilter7  7:4.2.2-1
ii  libavformat58 7:4.2.2-1
ii  libavutil56   7:4.2.2-1
ii  libbluray21:1.1.2-2
ii  libc6 2.29-9
ii  libcaca0  0.99.beta19-2.1
ii  libcdio-cdda2 10.2+2.0.0-1+b1
ii  libcdio-paranoia2 10.2+2.0.0-1+b1
ii  libcdio18 2.0.0-2
ii  libdrm2   2.4.100-4
ii  libdvdnav46.0.1-1+b1
ii  libegl1   1.3.0-7
ii  libgbm1   19.3.3-1
ii  libgl11.3.0-7
ii  libjack-jackd2-0 [libjack-0.125]  1.9.12~dfsg-2+b1
ii  libjpeg62-turbo   1:1.5.2-2+b1
ii  liblcms2-22.9-4
ii  liblua5.2-0   5.2.4-1.1+b3
ii  libpulse0 13.0-4
ii  librubberband21.8.2-1
ii  libsdl2-2.0-0 2.0.10+dfsg1-1
ii  libsmbclient  2:4.11.5+dfsg-1
ii  libsndio7.0   1.5.0-3
ii  libswresample37:4.2.2-1
ii  libswscale5   7:4.2.2-1
ii  libuchardet0  0.0.6-3
ii  libva-drm22.6.1-1
ii  libva-wayland22.6.1-1
ii  libva-x11-2   2.6.1-1
ii  libva22.6.1-1
ii  libvdpau1 1.3-1
ii  libwayland-client01.17.0-1+b1
ii  libwayland-cursor01.17.0-1+b1
ii  libwayland-egl1   1.17.0-1+b1
ii  libx11-6  2:1.6.8-1
ii  libxext6  2:1.3.3-1+b2
ii  libxinerama1  2:1.1.4-2
ii  libxkbcommon0 0.9.1-1
ii  libxrandr22:1.5.1-1
ii  libxss1   1:1.2.3-1
ii  libxv12:1.0.11-1
ii  zlib1g1:1.2.11.dfsg-1.1

Versions of packages mpv recommends:
ii  xdg-utils   1.1.3-1
ii  youtube-dl  2020.01.24-0.1

mpv suggests no packages.

-- no debconf information