Bug 22558

I am applying Debian latest patch

CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

Upstream has done good job : they released an updated tarball.

Advisory:

Josef Gajdusek reported that mpv 0.27.0 was vulnerable to an attack through it's youtube-dl hook. This could cause remote code execution. This upstream update creates of list of sure protocols to use through the hook.

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
https://github.com/mpv-player/mpv/releases/tag/v0.27.1

Removing cauldron as version 0.27.1 was succesfully submitted.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Oops, forgot RPMS list :

RPMS: 
mpv-0.27.1-1.mga6
lib{64}mpv1-0.27.1-1.mga6
libmpv-devel-0.27.1-1.mga6

SRPM:
mpv-0.27.1-1.mga6

Thanks Jóse!  Nice job.

Status comment: Fixed upstream in 0.29 => (none)

Mageia 6 :: x86_64

All the mirrors seem to be slow to sync this last 24 hours so I just grabbed the updates from mageia.org.

mpv functions OK as a video player and can now access Youtube videos  via the youtube-dl hook.

Leaving this open in case anybody objects to the methodology.

CC: (none) => tarazed25

Tested from mirrors in i586, downloads ok.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Sysadmins, please be careful this is about pushing mpv-0.27.1-1.mga6 while there is already another bug MGA #22603

1.mga6 has been replaced by 2.mga6, so this will need to be tested again.  You didn't really need to open another bug for it.

Ok. So I have tested in 64 bit vaapi enabled hardware and the fix is good. I have also played a file in 32 bit system without vaapi and it works (without hw accel of course).

How to test?

1.'vainfo' will help to ensure you have vaapi hardware (any intel since 2011 with integrated graphics does). At least the line below should appear.

VAProfileH264High               : VAEntrypointVLD

2.play a 1080p file with mpv. You should get this in the command line :

Using hardware decoding (vaapi).
VO: [vaapi] 1920x1080 vaapi[nv12]

Before this fix, you get "software decoding".

(In reply to David Walser from comment #9)
> 1.mga6 has been replaced by 2.mga6, so this will need to be tested again. 
> You didn't really need to open another bug for it.

I saw the advisory was done, I thought it was too late. Cool if not.

It doesn't look like the advisory has been committed to SVN yet, but even if it had been, they'd have just had to update it.

Mageia 6 :: x86_64
Had to use my Dell XPS13 for this because vainfo did not work on any of my other machines.

Installed vainfo.
$ vainfo
libva info: VA-API version 0.39.4
libva info: va_getDriverName() returns 0
libva info: Trying to open /usr/lib64/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_0_39
libva info: va_openDriver() returns 0
vainfo: VA-API version: 0.39 (libva 1.7.3)
vainfo: Driver version: Intel i965 driver for Intel(R) Kabylake - 1.7.3
vainfo: Supported profile and entrypoints
      VAProfileMPEG2Simple            :	VAEntrypointVLD
......................

Updated the mpv packages.
$ mpv Sonata.mp4
Auto-loading profile 'vo.vdpau'
'vo' auto profiles are deprecated.
Playing: Sonata.mp4
 (+) Video --vid=1 (*) (h264 1920x1080 23.974fps)
 (+) Audio --aid=1 --alang=und (*) (aac 2ch 44100Hz)
Failed to open VDPAU backend libvdpau_va_gl.so: cannot open shared object file: No such file or directory
[vo/vdpau] Error when calling vdp_device_create_x11: 1
libva info: VA-API version 0.39.4
libva info: va_getDriverName() returns 0
libva info: Trying to open /usr/lib64/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_0_39
libva info: va_openDriver() returns 0
Failed to open VDPAU backend libvdpau_va_gl.so: cannot open shared object file: No such file or directory
AO: [pulse] 44100Hz stereo 2ch float
Using hardware decoding (vaapi).
VO: [vaapi] 1920x1080 vaapi[nv12]

Giving this an OK for 64 bits.

Whiteboard: (none) => MGA6-64-OK

I am sorry about that, but upstream pushed another fix to allow youtube video subtitles which were broken with previous security fix.


So here is - I hope - final advisory.

Whiteboard: MGA6-64-OK => (none)

Advisory:

Josef Gajdusek reported that mpv 0.27.0 was vulnerable to an attack through it's youtube-dl hook. This could cause remote code execution. This upstream update creates of list of sure protocols to use through the hook.

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
https://github.com/mpv-player/mpv/releases/tag/v0.27.2

This update also fixes VAAPI accelerated decoding which is broken in upstream release.

RPMS :
mpv-0.27.2-1.mga6
lib{64}mpv1-0.27.2-1.mga6
libmpv-devel-0.27.2-1.mga6

SRPM:
mpv-0.27.2-1.mga6

Mageia6 :: x86_64

Updated the packages:
$ rpm -qa | grep mpv
mpv-0.27.2-1.mga6
lib64mpv1-0.27.2-1.mga6
lib64mpv-devel-0.27.2-1.mga6

Did not test VAAPI hardware - the earlier test shall have to do.

$ mpv https://www.youtube.com/watch?v=5ZlD8s4EUy0
Auto-loading profile 'vo.vdpau'
'vo' auto profiles are deprecated.
Playing: https://www.youtube.com/watch?v=5ZlD8s4EUy0
 (+) Video --vid=1 (*) (vp9 1920x1080 29.970fps)
 (+) Audio --aid=1 --alang=eng (*) 'DASH audio' (opus 2ch 48000Hz) (external)
AO: [pulse] 48000Hz stereo 2ch float
VO: [vdpau] 1920x1080 yuv420p
....................................

This looks good enough.

Not good enough without checking the subtitles option.
$  mpv https://www.youtube.com/watch?v=lYwQDNZrbWQ

This showed a documentary which supplied subtitles.  Switched them on from the control panel.

OK for 64-bit.  Validating.

Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0130.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
CC: (none) => tmb

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0130.html