mpv: fix CVE-2018-6460

Upstream has fixed this in a series of commits ontop of 0.28.0. Debian has backported the fixes to 0.27.0. Upstream issue: mpv-player/mpv#5456 Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888654#8
andir · Feb 7, 2018 · 95f4d6b · 95f4d6b
1 parent 8ff7ac4
commit 95f4d6b
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/pkgs/applications/video/mpv/default.nix b/pkgs/applications/video/mpv/default.nix
@@ -95,6 +95,11 @@ in stdenv.mkDerivation rec {
       url = "https://github.com/mpv-player/mpv/commit/2ecf240b1cd20875991a5b18efafbe799864ff7f.patch";
       sha256 = "1sr0770rvhsgz8d7ysr9qqp4g9gwdhgj8g3rgnz90wl49lgrykhb";
     })
+    (fetchpatch {
+      name = "CVE-2018-6360.patch";
+      url = https://salsa.debian.org/multimedia-team/mpv/raw/ddface85a1adfdfe02ffb25b5ac7fac715213b97/debian/patches/09_ytdl-hook-whitelist-protocols.patch;
+      sha256 = "1gb1lkjbr8rv4v9ji6w5z97kbxbi16dbwk2255ajbvngjrc7vivv";
+    })
   ];
 
   postPatch = ''