[Secure-testing-team] Bug#888654: mpv: CVE-2018-6360
Salvatore Bonaccorso
carnil at debian.org
Sun Jan 28 13:17:47 UTC 2018
Source: mpv
Version: 0.23.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/mpv-player/mpv/issues/5456
Hi,
the following vulnerability was published for mpv.
CVE-2018-6360[0]:
| mpv through 0.28.0 allows remote attackers to execute arbitrary code
| via a crafted web site, because it reads HTML documents containing
| VIDEO elements, and accepts arbitrary URLs in a src attribute without a
| protocol whitelist in player/lua/ytdl_hook.lua. For example, an
| av://lavfi:ladspa=file= URL signifies that the product should call
| dlopen on a shared object file located at an arbitrary local pathname.
| The issue exists because the product does not consider that youtube-dl
| can provide a potentially unsafe URL.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-6360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
[1] https://github.com/mpv-player/mpv/issues/5456
Regards,
Salvatore
More information about the Secure-testing-team
mailing list