Your message dated Sat, 18 Jul 2020 22:49:23 +0000 with message-id <e1jwvdz-000hdn...@fasolo.debian.org> and subject line Bug#950816: fixed in mpv 0.32.0-2 has caused the Debian Bug report #950816, regarding mpv: unintended code execution vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 950816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950816 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mpv Version: 0.32.0-1 Severity: grave Tags: security fixed-upstream Justification: user security hole Dear Maintainer, If Lua scripts are enabled (they are by default) and configured for use (Debian doesn't seem to have any active by default) mpv could end up loading unintended code (lua scripts/bytecode and/or shared objects) from the current working directory. The following upstream commit supposedly fixes this: https://github.com/mpv-player/mpv/commit/cce7062a8a6b6a3b3666aea3ff86db879cba67b6 Excerpt from the commit message: lua: fix highly security relevant arbitrary code execution bug It appears Lua's package paths try to load .lua files from the current working directory. Not only that, but also shared libraries. [...] In mpv's case, this is so security relevant, because mpv is normally used from the command line, and you will most likely actually change into your media directory or whatever with the shell, and play a file from there. No, you don't want to load a (probably downloaded) shared library from this directory if a script try to load a system lib with the same name or so. I'm not sure why LUA_PATH_DEFAULT in luaconf.h (both upstream and the Debian version) put "./?.lua" at the end, but in any case, trying to load a module that doesn't exist nicely lists all package paths in order, and confirms it tries to load files from the working directory first (anyone can try this). Even if it didn't, this would be problematic at best. Note that scripts are not sandboxed. They're allowed to load system libraries, which is also why we want to keep the non-idiotic parts of the package paths. [...] mpv in default configuration (i.e. no external scripts) is probably not affected. All builtin scripts only "require" preloaded modules, which, in a stroke of genius by the Lua developers, are highest priority in the load order. Otherwise, enjoy your semi-remote code execution bug. [...] Cheers. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mpv depends on: ii libarchive13 3.4.0-1+b1 ii libasound2 1.2.1.2-2 ii libass9 1:0.14.0-2 ii libavcodec58 7:4.2.2-1 ii libavdevice58 7:4.2.2-1 ii libavfilter7 7:4.2.2-1 ii libavformat58 7:4.2.2-1 ii libavutil56 7:4.2.2-1 ii libbluray2 1:1.1.2-2 ii libc6 2.29-9 ii libcaca0 0.99.beta19-2.1 ii libcdio-cdda2 10.2+2.0.0-1+b1 ii libcdio-paranoia2 10.2+2.0.0-1+b1 ii libcdio18 2.0.0-2 ii libdrm2 2.4.100-4 ii libdvdnav4 6.0.1-1+b1 ii libegl1 1.3.0-7 ii libgbm1 19.3.3-1 ii libgl1 1.3.0-7 ii libjack-jackd2-0 [libjack-0.125] 1.9.12~dfsg-2+b1 ii libjpeg62-turbo 1:1.5.2-2+b1 ii liblcms2-2 2.9-4 ii liblua5.2-0 5.2.4-1.1+b3 ii libpulse0 13.0-4 ii librubberband2 1.8.2-1 ii libsdl2-2.0-0 2.0.10+dfsg1-1 ii libsmbclient 2:4.11.5+dfsg-1 ii libsndio7.0 1.5.0-3 ii libswresample3 7:4.2.2-1 ii libswscale5 7:4.2.2-1 ii libuchardet0 0.0.6-3 ii libva-drm2 2.6.1-1 ii libva-wayland2 2.6.1-1 ii libva-x11-2 2.6.1-1 ii libva2 2.6.1-1 ii libvdpau1 1.3-1 ii libwayland-client0 1.17.0-1+b1 ii libwayland-cursor0 1.17.0-1+b1 ii libwayland-egl1 1.17.0-1+b1 ii libx11-6 2:1.6.8-1 ii libxext6 2:1.3.3-1+b2 ii libxinerama1 2:1.1.4-2 ii libxkbcommon0 0.9.1-1 ii libxrandr2 2:1.5.1-1 ii libxss1 1:1.2.3-1 ii libxv1 2:1.0.11-1 ii zlib1g 1:1.2.11.dfsg-1.1 Versions of packages mpv recommends: ii xdg-utils 1.1.3-1 ii youtube-dl 2020.01.24-0.1 mpv suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: mpv Source-Version: 0.32.0-2 Done: Reinhard Tartler <siret...@tauware.de> We believe that the bug you reported is fixed in the latest version of mpv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 950...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler <siret...@tauware.de> (supplier of updated mpv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 18 Jul 2020 18:01:43 -0400 Source: mpv Architecture: source Version: 0.32.0-2 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multime...@lists.debian.org> Changed-By: Reinhard Tartler <siret...@tauware.de> Closes: 950816 Changes: mpv (0.32.0-2) unstable; urgency=medium . * Bug fix: "unintended code execution vulnerability", thanks to astian (Closes: #950816). Patch backported from upstream Checksums-Sha1: 2f8162366f112c882e0a20ad3f1872dd14f473fb 2981 mpv_0.32.0-2.dsc 6e17602575954836f8778029396358484ec6254e 108264 mpv_0.32.0-2.debian.tar.xz Checksums-Sha256: 3f2b2b6391e141dd0376a109c6bb04971cdf2f9414d02ceee0e40ba3f4f6dbc1 2981 mpv_0.32.0-2.dsc 2470a0429811a08241b851df10ac0a54bde92e396be2ec43b73d0b8e149ed165 108264 mpv_0.32.0-2.debian.tar.xz Files: ff897a23d41737dc7a66e3f0212c019c 2981 video optional mpv_0.32.0-2.dsc 1fd61d5969801931909049aaee3924f1 108264 video optional mpv_0.32.0-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAl8TeY4UHHNpcmV0YXJ0 QHRhdXdhcmUuZGUACgkQSadpd5QoJstW8A/+LhALQ4w0S0mjUISuWugfBF4mUzzR K3Yz3ueFzbgWxS2GTKiFXlube/vmvP6CZL2NJqtmoxxDD4YpUIRLlJH8Mx/+vXbh hfjoaEF2/A0NxmUqlsodCVbIg/dnYPFIIeEytRNedldLtXz9vos/fQP/qwu35ctf nUVa55ixIQ9UUZFySxFLRwCLmJ5qeTqu7s/6y9Jtqd6An4TjI2oG+fg+GEx+Fx8G xcciRgfm4tmyZADQGYiYILaCkYVma/b/182AI7nLmGQeqTmT16VVEIgki9P7C46v M0VLGcT8URR5d6nNU22PjsYVmPTNxDIgyhUNr2qdc6jRXWoF8QL5HUb9mlzfuB9Z VTgYaLpbqmJCndCSpV9S1MsiK0UfG/LeyUWl5WzrtC4tXiDtoE8Y3kOr3+IoPkLZ MjIi1/RjJ0kLKIJTRaT4IesBn/HT5wzYDhFYw1NOJjFaIS1DhdobX+6L3vXnvHem 2yaX8gQfK9Bs7n12wGfr5bYopv2eTklc1NP3gYeuuB0NapTNFgbMV9qvpFE8m7P5 mO3GnTUN2UkcNUvoqac77t8mlSCdJOAbmY1vSrLTTv0HSideu54iUikJ4F2r1r/Y zfJBU02Vx8XREKRdvDCv/eDVoQxjzaUt7MqmRem/YIGOSMzEdSPpMkuOwTgmvDuw RmDv1fB+D4eQ59A= =gSpU -----END PGP SIGNATURE-----
--- End Message ---
