Bug#890410: marked as done (mpv: fix for CVE-2018-6360 overlooks subtitles)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 17 Feb 2018 23:50:20 +0000
with message-id <E1enCFI-0005Mp-Mq@fasolo.debian.org>
and subject line Bug#890410: fixed in mpv 0.27.2-1
has caused the Debian Bug report #890410,
regarding mpv: fix for CVE-2018-6360 overlooks subtitles
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
890410: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890410
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: mpv: fix for CVE-2018-6360 overlooks subtitles
• From: James Cowgill <jcowgill@debian.org>
• Date: Wed, 14 Feb 2018 13:38:55 +0000
• Message-id: <[🔎] 9a284b19-f891-c227-e548-f7b5c4657a59@debian.org>

Package: mpv
Version: 0.23.0-1
Severity: grave
Tags: security upstream

Yet another bug relating to the fix for CVE-2018-6360...

This time the bug is not a regression, but a mistake upstream made when
writing the original patch. Upstream overlooked the handling of subtitle
URLs which were not protected.

Upstream has released 0.27.2 and 0.28.2 to fix these. I think the bug
affects 0.23 as well (but I have not yet checked).

Possibly this warrants a new CVE number.

Upstream commit:
https://github.com/mpv-player/mpv/commit/3e71eb8676de53a05f51b987d294e7d2fa0a5bc1

James

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: 890410-close@bugs.debian.org
• Subject: Bug#890410: fixed in mpv 0.27.2-1
• From: James Cowgill <jcowgill@debian.org>
• Date: Sat, 17 Feb 2018 23:50:20 +0000
• Message-id: <E1enCFI-0005Mp-Mq@fasolo.debian.org>

Source: mpv
Source-Version: 0.27.2-1

We believe that the bug you reported is fixed in the latest version of
mpv, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890410@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated mpv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 16 Feb 2018 22:56:00 +0000
Source: mpv
Binary: mpv libmpv1 libmpv-dev
Architecture: source
Version: 0.27.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libmpv-dev - video player based on MPlayer/mplayer2 (client library dev files)
 libmpv1    - video player based on MPlayer/mplayer2 (client library)
 mpv        - video player based on MPlayer/mplayer2
Closes: 890410
Changes:
 mpv (0.27.2-1) unstable; urgency=medium
 .
   * New upstream bugfix release.
     - Also whitelist subtitle URLs in youtube-dl hook. (Closes: #890410)
Checksums-Sha1:
 28a64e532020d45f0b8ef5089aa9935ed580cd7b 2862 mpv_0.27.2-1.dsc
 764e23136ccec9dc8743f2c63b3d5fbd8a1bf427 2957191 mpv_0.27.2.orig.tar.gz
 ea3624b5a37ad375b3e4a4fa087967cc2e45efb8 105516 mpv_0.27.2-1.debian.tar.xz
 6d4d709e0e33e0499d97b3834454ec3936c193a8 14299 mpv_0.27.2-1_source.buildinfo
Checksums-Sha256:
 8ce4cbf2d5f11f3043062e42bf0870d80b884b63543d69b368b10d7b4db766ab 2862 mpv_0.27.2-1.dsc
 2ad104d83fd3b2b9457716615acad57e479fd1537b8fc5e37bfe9065359b50be 2957191 mpv_0.27.2.orig.tar.gz
 144c37e91d61465bedee9b34d460f906ac5b07845f3b9bf02774a602c94fd819 105516 mpv_0.27.2-1.debian.tar.xz
 076d7413763d68f7e8b14694d78ff360fcce039dd381fc29daacabae1a4d0a31 14299 mpv_0.27.2-1_source.buildinfo
Files:
 bf8812d14a81cb736c31ad344624cc86 2862 video optional mpv_0.27.2-1.dsc
 8cfb48e921e58c0d9d181d96d4809beb 2957191 video optional mpv_0.27.2.orig.tar.gz
 ad3e73c86dfaf8354addd45964ebf56f 105516 video optional mpv_0.27.2-1.debian.tar.xz
 8435f07681626ea28f40ab93a89b8bd2 14299 video optional mpv_0.27.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlqHYrkUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe+GUA//X6ikm22zueHYi0xsSmSrxHgsfmLw
B57HMXguhKA8ucjpkkBugOL5J5ZU3I4wmxfAcHfyphIhLL5YqkyCORO6r4WWgEnI
VSb/21J+bVs2a8N0FZrXZ+a+qhjkV/t7qyoQEbYVOrvdtwH2UPaABT714IsHymBr
y5lVZ5XgprZ3rIsrUW9yyQULKDjOfmRtELv7qYdAHbCQhqEXj0SLksnSAIkSsh2g
rNHU5GDW/49mX9GVSRA2nLzcvaDiWVjUQV7ZocLdiIC2BEOoxy9A//r5HldfS8O3
Mns3t0nKxzIB8ymZVmRZ5wvjbUKQL7c1FTbKLvcr2VTg8KSZnpy5syRHzz6DwrMS
sK6QLaOdvwFXPpCZaGjgA+Npa6amRNwsIbuWwD66/k+NQS6aFOkl2yD3arZfjJ1E
mcyFXzIsPysOEpEv+CbtZXOR/zFtFNocd5BgNBI323ovlJ3Z8Dl6DUPu8kQgpHwK
jURDmEjguxlMhUuYRb0shuLDAD3DjwnzMX9OENrE3AtWKyPUA1vxZ+TlRLUTx2iE
CRJlrXRmMQe2izytP4J+8z23tJavcaYEfqyk+Sene9KVv7aoGqL8UBnaucdkGJCL
RwejE9GdHMQ+0ftueF8BPsaLLtKLjjDw2uzBmQv32kw2ofB6dp/I5x8z3SkZ3DkM
CafRbkeVWTtkXhA=
=cdqS
-----END PGP SIGNATURE-----

--- End Message ---