Bug 1077894 - (CVE-2018-6360) VUL-0: CVE-2018-6360: mpv through 0.28.0 allows remote attackers to execute arbitrary code via acrafted web site, because it reads HTML documents containing VIDEO elements, andaccepts arbitrary URLs in a src attribute without a protocol w
(CVE-2018-6360)
VUL-0: CVE-2018-6360: mpv through 0.28.0 allows remote attackers to execute a...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/199095/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-29 06:22 UTC by Marcus Meissner
Modified: 2018-02-19 15:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-01-29 06:22:23 UTC
CVE-2018-6360

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a
crafted web site, because it reads HTML documents containing VIDEO elements, and
accepts arbitrary URLs in a src attribute without a protocol whitelist in
player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies
that the product should call dlopen on a shared object file located at an
arbitrary local pathname. The issue exists because the product does not consider
that youtube-dl can provide a potentially unsafe URL.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6360
http://www.cvedetails.com/cve/CVE-2018-6360/
https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
https://github.com/mpv-player/mpv/issues/5456
Comment 1 Tomáš Chvátal 2018-01-30 14:55:11 UTC
Lets wait for upstream release and bump it where needed I suppose.
Comment 2 Tomáš Chvátal 2018-01-30 15:22:53 UTC
Actually they use git versions of ffmpeg now, so lets patch....
Comment 3 Tomáš Chvátal 2018-01-30 15:28:13 UTC
And the patch is tied to the api rewrite of the ffmpeg...
Comment 4 Luigi Baldoni 2018-02-10 14:51:27 UTC
Sent updates for 0.27.1 for both Factory and Leap 42.3.
Comment 5 Swamp Workflow Management 2018-02-10 15:30:05 UTC
This is an autogenerated message for OBS integration:
This bug (1077894) was mentioned in
https://build.opensuse.org/request/show/575227 42.3 / mpv
Comment 6 Luigi Baldoni 2018-02-12 12:45:15 UTC
Updates accepted.
Comment 7 Swamp Workflow Management 2018-02-14 10:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1077894) was mentioned in
https://build.opensuse.org/request/show/576477 42.3 / mpv
Comment 8 Swamp Workflow Management 2018-02-19 14:17:38 UTC
openSUSE-SU-2018:0479-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1077894
CVE References: CVE-2018-6360
Sources used:
openSUSE Leap 42.3 (src):    mpv-0.27.2-13.5.1