Source: mpv Version: 0.23.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/mpv-player/mpv/issues/5456
Hi, the following vulnerability was published for mpv. CVE-2018-6360[0]: | mpv through 0.28.0 allows remote attackers to execute arbitrary code | via a crafted web site, because it reads HTML documents containing | VIDEO elements, and accepts arbitrary URLs in a src attribute without a | protocol whitelist in player/lua/ytdl_hook.lua. For example, an | av://lavfi:ladspa=file= URL signifies that the product should call | dlopen on a shared object file located at an arbitrary local pathname. | The issue exists because the product does not consider that youtube-dl | can provide a potentially unsafe URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-6360 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360 [1] https://github.com/mpv-player/mpv/issues/5456 Regards, Salvatore _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
