Security update for mpv SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0479-1 Final 1 1 2018-02-19T09:08:38Z current 2018-02-19T09:08:38Z 2018-02-19T09:08:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mpv This update for mpv fixes the following issues: MPV was updated to version 0.27.2 Security issues fixed: * CVE-2018-6360: Additional fix for where mpv allowed remote attackers to execute arbitrary code via a crafted web site, because it read HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL. (boo#1077894) Fixes and minor enhancements: * ytdl_hook: whitelist subtitle URLs as well (#5456) MPV was updated to version 0.27.1 Security issues fixed: * CVE-2018-6360: mpv allowed remote attackers to execute arbitrary code via a crafted web site, because it read HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL. (boo#1077894) Fixes and minor enhancements: * ytdl_hook: whitelist protocols from urls retrieved from youtube-dl (#5456) Version 0.27.0: Added features: * libmpv: options: add a thread-safe way to notify option updates * vd_lavc/vo_opengl: support embedded ICC profiles * vo: rendering API abstraction for future non-GL video outputs * vo_opengl: add a gamut warning feature to highlight out-of-gamut colors (--gamut-warning) * vo_opengl: add direct rendering support (--vd-lavc-dr) * vo_opengl: implement (faster) compute shader based EWA kernel * vo_opengl: implement HLG OOTF inverse * vo_opengl: support HDR peak detection (--hdr-compute-peak) * vo_opengl: support float input pixel formats * vo_opengl: support loading custom user textures (#4586) * vo_opengl: support user compute shaders Removed features: * Remove video equalizer handling from vo_direct3d, vo_sdl, vo_vaapi, and vo_xv (GPL, not worth the effort to support legacy VOs) Added options and commands: * player: add --track-auto-selection option Changed options and commands: * input: use mnemonic names for mouse buttons, same as Qt: https://doc.qt.io/qt-5/qt.html#MouseButton-enum * options: change --loop semantics * player: make --lavfi-complex changeable at runtime * vf_eq: remove this filter (GPL; uses libavfilter’s eq filter now, with changed semantics) * video: change --deinterlace behavior * vo_opengl: generalize HDR tone mapping to gamut mapping, --hdr-tone-mapping → --tone-mapping Removed options and commands: * --field-dominance (GPL-only author, no chance of relicensing) * input: drop deprecated 'osd' command * options: drop --video-aspect-method=hybrid (GPL-only) Fixes and minor enhancements: * TOOLS/autocrop.lua: fix cropdetect black limit for 10-bit videos * TOOLS/lua/autodeint: update to lavfi-bridge * TOOLS/lua/status-line: improve and update * af_lavrresample: don't call swr_set_compensation() unless necessary (#4716) * ao_oss: fix period_size calculation (#4642) * ao_rsound: allow setting the host * audio: fix spdif mode * filter_kernels: correct spline64 kernel * options: fix --include (#4673) * player: fix --end with large values (#4650) * player: fix confusion in audio resync code (#4688) * player: make refresh seeks slightly more robust (#4757) * player: readd smi subtitle extension (#4626) * vd_lavc: change auto-probe order to prefer cuda over vdpau-copy * vd_lavc: fix device leak with copy-mode hwaccels (#4735) * vd_lavc: fix hwdec compatibility with yuvj420p formats * vd_lavc: fix mid-stream hwdec fallback * vf_vapoursynth: fix inverted sign and restore 10 bit support (#4720) * video: increase --monitorpixelaspect range * vo_opengl: adjust the rules for linearization (#4631) * vo_opengl: scale deband-grain to the signal range * vo_opengl: tone map on the maximum signal component * x11: fix that window could be resized when using embedding (#4784) * ytdl_hook: resolve relative paths when joining segment urls (#4827) * ytdl_hook: support fragments with relative paths, fixes segmented DASH Version 0.26.0: * Built-in V4L TV support is disabled by default. av://v4l2 can be used instead. * Support for C plugins is now enabled by default (#4491). * Many more parts of the player are now licensed under LGPL, see Copyright file. Added features: * csputils: implement sony s-gamut * vo_opengl: add new HDR tone mapping algorithm (mobius, now default) * vo_opengl: hwdec_cuda: Support separate decode and display devices * vo_opengl: implement sony s-log1 and s-log2 trc * vo_opengl: implement support for OOTFs and non-display referred content Removed features: * vf_dlopen: remove this filter Added options and commands: * vo_opengl: add --tone-mapping-desaturate * vo_opengl: support tone-mapping-param for `clip` * ytdl_hook: add option to exclude URLs from being parsed Changed options and commands: * allow setting profile option with libmpv * audio: move replaygain control to top-level options * external_files: parse ~ in --{sub,audio}-paths * options: change --sub-fix-timing default to no (#4484) * options: expose string list actions for --sub-file option * options: slight cleanup of --sub-ass-style-override + signfs → scale + --sub-ass-style-override → --sub-ass-override * renamed the HDR TRCs `st2084` and `std-b67` to `pq` and `hlg` respectively * replace vf_format's `peak` suboption by `sig-peak`, which is relative to the reference white level instead of in cd/m^2 * the following options change to append-by-default (and possibly separator): --script * video: change --video-aspect-method default value to `container` Deprecated options and commands: * m_option: deprecate multiple items for -add etc. * player: deprecate 'osd' command * --audio-file-paths => --audio-file-path * --sub-paths => --sub-file-path * --opengl-shaders => --opengl-shader * --sub-paths => --sub-file-paths * the following options are deprecated for setting via API: + 'script' (use 'scripts') + 'sub-file' (use 'sub-files') + 'audio-file' (use 'audio-files') + 'external-file' (use 'external-files') (the compatibility hacks for this will be removed after this release) Removed options and commands: * chmap: remove misleading 'downmix' channel layout name (#4545) * demux_lavf: remove --demuxer-lavf-cryptokey option (#4579) * input.conf: drop TV/DVB bindings * options: remove remaining deprecated audio device selection options + --alsa-device + --oss-device + --coreaudio-exclusive + --pulse-sink + --rsound-host/--rsound-port + --ao-sndio-device + --ao-wasapi-exclusive + --ao-wasapi-device * remove option --target-brightness * remove property 'video-params/nom-peak' Fixes and minor enhancements: * TOOLS/lua/autoload.lua: actually sort files case insensitive (#4398) * TOOLS/lua/autoload.lua: ignores all files starting with '.' * ao_pulse: reorder format choice to prefer float and S32 over S16 as fallback format * command: add missing change notification for playlist-shuffle (#4573) * demux_disc: fix bluray subtitle language retrieval (#4611) * demux_mkv: fix alpha with vp9 + libvpx * demux_mkv: support FFmpeg A_MS/ACM extensions * ipc-unix: don’t truncate the message on EAGAIN (#4452) * ipc: raise json nesting limit (#4394) * mpv_identify: replace deprecated fps property (#4550) * options/path: fallback to USERPROFILE if HOME isn't set * player: close audio device on no audio track * player: fix potential segfault when playing dvd:// with DVD disabled (#4393) * player: prevent seek position to jump around adjacent keyframes, e.g. when dragging the OSC bar on short videos (#4183) * vo_opengl: bump up SHADER_MAX_HOOKS and MAX_TEXTURE_HOOKS to 64 * vo_opengl: correct off-by-one in scale=oversample * vo_opengl: do not use vaapi-over-GLX (#4555) * vo_opengl: fall back to ordered dither instead of blowing up (#4519) * vo_opengl: tone map in linear XYZ instead of RGB * x11: add 128x128 sized icon support * ytdl_hook: add a header to support geo-bypass * ytdl_hook: don't override start time set by saved state * ytdl_hook: don't override user-set start time * ytdl_hook: treat single-entry playlists as a single video * gen: make output reproducible by ensuring stable output of pairs() by wrapping it where it matters. (Closes #18) version 3.3.15 * Fix af/vf filter argument expansion (#15) * Remove some invalid suggestions for some options (#14) * Recognize all --profile-style options as such and complete them version 3.3.14 * Reflect changed --list-options output for --vf-add-style options - Let mpv own /etc/mpv/scripts as a ghost dir so other packages can create it and install scripts there. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-02/msg00065.html E-Mail link for openSUSE-SU-2018:0479-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 libmpv1-0.27.2-13.5.1 mpv-0.27.2-13.5.1 mpv-bash-completion-3.3.16-13.5.1 mpv-devel-0.27.2-13.5.1 mpv-zsh-completion-0.27.2-13.5.1 libmpv1-0.27.2-13.5.1 as a component of openSUSE Leap 42.3 mpv-0.27.2-13.5.1 as a component of openSUSE Leap 42.3 mpv-bash-completion-3.3.16-13.5.1 as a component of openSUSE Leap 42.3 mpv-devel-0.27.2-13.5.1 as a component of openSUSE Leap 42.3 mpv-zsh-completion-0.27.2-13.5.1 as a component of openSUSE Leap 42.3 mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL. CVE-2018-6360 openSUSE Leap 42.3:libmpv1-0.27.2-13.5.1 openSUSE Leap 42.3:mpv-0.27.2-13.5.1 openSUSE Leap 42.3:mpv-bash-completion-3.3.16-13.5.1 openSUSE Leap 42.3:mpv-devel-0.27.2-13.5.1 openSUSE Leap 42.3:mpv-zsh-completion-0.27.2-13.5.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00065.html https://www.suse.com/security/cve/CVE-2018-6360.html CVE-2018-6360 https://bugzilla.suse.com/1077894 SUSE Bug 1077894