| Summary: | mpv new security issue CVE-2021-30145 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | mpv-0.32.0-7.mga9.src.rpm | CVE: | CVE-2021-30145 |
| Status comment: | |||
|
Description
David Walser
2021-05-30 23:52:33 CEST
David Walser
2021-05-30 23:52:44 CEST
Whiteboard:
(none) =>
MGA8TOO, MGA7TOO fixed in mga7/8
src:
- mpv-0.29.1-8.1.mga7
- mpv-0.32.0-6.1.mga8Status comment:
Fixed upstream in 0.33.1 =>
(none) RPMS: mpv-0.29.1-8.1.mga7 libmpv1-0.29.1-8.1.mga7 libmpv-devel-0.29.1-8.1.mga7 mpv-0.32.0-6.1.mga8 libmpv-devel-0.32.0-6.1.mga8 libmpv1-0.32.0-6.1.mga8 mga7, x64 CVE-2021-30145 Tried to find a playlist which would expose the vulnerability. Nothing doing. $ mpv http://10.0.0.1/evil.m3u Playing: http://10.0.0.1/evil.m3u [ffmpeg] tcp: Connection to tcp://10.0.0.1:80 failed: Connection timed out Updated the three packages and hauled in another 133. $ mpv https://www.youtube.com/watch?v=......... Playing: https://www.youtube.com/watch?v=........ (+) Video --vid=1 (*) (h264 1280x720 29.970fps) (+) Audio --aid=1 (*) 'tiny' (aac 2ch 44100Hz) (external) AO: [pulse] 44100Hz stereo 2ch s32 VO: [gpu] 1280x720 yuv420p AV: 00:00:33 / 00:11:22 (4%) A-V: 0.000 Dropped: 1 Cache: 47s+11MB [ffmpeg] NULL: Invalid NAL unit size (13631 > 1912). [ffmpeg] NULL: missing picture in access unit with size 1916 Exiting... (Quit) That worked well. Played some local music files with formats aif, wav, paf, snd, flac, ogg, mp3. Played video and sound in webm, mkv and mp4 formats. $ mpv youtube.m3u Played successive music videos. CC:
(none) =>
tarazed25
Len Lawrence
2021-06-01 23:32:44 CEST
Whiteboard:
MGA7TOO =>
MGA7TOO MGA7-64-OK mga8, x64 Updated the mpv packages and ran mpv against a number of video and audio formats. No regressions noted. $ mpv TheCorries.m3u Playing: /home/lcl/Music/wav/corries/CamYeByAtholl.wav (+) Audio --aid=1 (pcm_s16le 2ch 44100Hz) AO: [pulse] 44100Hz stereo 2ch s16 A: 00:00:17 / 00:02:25 (12%) Works fine with playlist files. Whiteboard:
MGA7TOO MGA7-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK Validating. Keywords:
(none) =>
validated_update Advisory: ======================== Updated mpv packages fix a security vulnerability: Fixed format string vulnerability allows user-assisted remote attackers to achieve code execution via a crafted m3u playlist file (CVE-2021-30145). References: - https://bugs.mageia.org/show_bug.cgi?id=29058 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30145 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QVXB4F67QODLPKYBZX7SBXTE7ESGKGOD/ ======================== Updated packages in 8/core/updates_testing: ======================== mpv-0.32.0-6.1.mga8 lib(64)mpv-devel-0.32.0-6.1.mga8 lib(64)mpv1-0.32.0-6.1.mga8 from SRPM: mpv-0.32.0-6.1.mga8 ======================== Updated packages in 7/core/updates_testing: ======================== mpv-0.29.1-8.1.mga7 lib(64)mpv1-0.29.1-8.1.mga7 lib(64)mpv-devel-0.29.1-8.1.mga7 from SRPM: mpv-0.29.1-8.1.mga7 CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0235.html Status:
NEW =>
RESOLVED |