[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.

From: Leo Famulari
Subject: [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
Date: Wed, 7 Feb 2018 21:44:17 -0500
User-agent: Mutt/1.9.2 (2017-12-15)

On Wed, Feb 07, 2018 at 02:53:12PM +0800, Alex Vong wrote:
> Tags: security
> Hello,
> This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
> into playing unsafe url returned by youtube-dl.

> From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
> From: Alex Vong <address@hidden>
> Date: Wed, 7 Feb 2018 14:39:40 +0800
> Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
> * gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
> gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
> * gnu/ (dist_patch_DATA): Add them.
> * gnu/packages/video.scm (mpv)[source]: Use them.

Thank you very much for putting this patch together!

I noticed that the person who fixed the bug upstream said that 4 commits
were needed [0], but this patch (and Debian's and Nix's) are missing the
first in that person's list, 828bd2963cd10.

I'm going to ask upstream to clarify but, in the meantime, do you know
why this patch is not included?


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]