Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mpv: patch CVE-2018-6360 #23928

Closed
wants to merge 1 commit into from
Closed

mpv: patch CVE-2018-6360 #23928

wants to merge 1 commit into from

Conversation

DomT4
Copy link
Member

@DomT4 DomT4 commented Feb 10, 2018

  • Have you followed the guidelines for contributing?
  • Have you checked that there aren't other open pull requests for the same formula update/change?
  • Have you built your formula locally with brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
  • Does your build pass brew audit --strict <formula> (after doing brew install <formula>)?

mpv-player/mpv#5456. Yay, potential arbitrary code execution.

@ilovezfs
Copy link
Contributor

Why is there no release?

@DomT4
Copy link
Member Author

DomT4 commented Feb 10, 2018
edited
Loading

These commits were stuck on top of the 0.28.x series, and Debian backported them to 0.27.0, which has since been applied by them & nixOS and FreeBSD and so on.

I suspect if there's going to be a release it'll be the 0.28.x branch, which we still can't use due to the ffmpeg requirements. It's a hideous & grim vulnerability, so there should be a release for 0.27.x given the ffmpeg situation, but will there be? Doubt it.

@ilovezfs
Copy link
Contributor

Please file an issue. I don't think we should be patching downstream because they decided to have a hard dependency on a HEAD version of ffmpeg. This is ridiculous.

@DomT4
Copy link
Member Author

DomT4 commented Feb 10, 2018

I'll make some noise, but this one is bad enough that I think we have to either patch it or remove the formula.

@ilovezfs
Copy link
Contributor

Looks like it's breaking things https://www.mail-archive.com/[email protected]/msg1583476.html

@DomT4
Copy link
Member Author

DomT4 commented Feb 10, 2018

That was fixed in the latest Debian tarball AFAIK, which we're using here.

mpv (0.27.0-4) unstable; urgency=high

  * debian/patches/09_ytdl-hook-whitelist-protocols.patch:
    - Fix regression in CVE-2018-6360 patch which broke youtube playlists.
      (Closes: #889892)

 -- James Cowgill <[email protected]>  Thu, 08 Feb 2018 11:51:09 +0000

@ilovezfs
Copy link
Contributor

Swell.

@ilovezfs
Copy link
Contributor

I'm assuming this comment needs to be updated? mpv-player/mpv#5456 (comment)

@DomT4
Copy link
Member Author

DomT4 commented Feb 10, 2018

I assume so, based on the Debian Changelog pasted above. CC @jcowgill for confirmation.

@DomT4
Copy link
Member Author

DomT4 commented Feb 10, 2018

mpv-player/mpv#5507

@ilovezfs ilovezfs closed this in 61a6e29 Feb 10, 2018
@ilovezfs
Copy link
Contributor

😭

@DomT4
Copy link
Member Author

DomT4 commented Feb 10, 2018

Thanks Joe. Here's hoping the upstream issue achieves something productive.

@DomT4 DomT4 deleted the mpv branch February 10, 2018 06:54
@ilovezfs
Copy link
Contributor

Even if they appear to react negatively to the issue, maybe they'll think twice before depending on a HEAD version next time given non-zero pushback.

@jcowgill
Copy link

FWIW 0.27.0-4 was the correct version to take the patch from but now that we have 0.27.1, it doesn't matter now.

@ilovezfs
Copy link
Contributor

Thanks for following up @jcowgill ❤️

@Homebrew Homebrew locked and limited conversation to collaborators May 4, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DomT4 @ilovezfs @jcowgill