Bug 22558 - mpv new security issue CVE-2018-6360
Summary: mpv new security issue CVE-2018-6360
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords:
Depends on:
Blocks: 22603
  Show dependency treegraph
 
Reported: 2018-02-10 21:10 CET by David Walser
Modified: 2018-02-17 20:41 CET (History)
3 users (show)

See Also:
Source RPM: mpv-0.27.0-6.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-02-10 21:10:01 CET
Debian has issued an advisory on February 6:
https://www.debian.org/security/2018/dsa-4105

It sounds like it was fixed upstream in 0.29.

Debian has also links to upstream commits and patches for 0.27.  Note that the initial fix caused a regression which Debian has also since fixed:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888654
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889892

Mageia 6 is also affected.
David Walser 2018-02-10 21:10:09 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-10 22:11:28 CET

Status comment: (none) => Fixed upstream in 0.29

Comment 1 José Jorge 2018-02-11 15:30:21 CET
I am applying Debian latest patch

CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

Comment 2 José Jorge 2018-02-11 15:44:19 CET
Upstream has done good job : they released an updated tarball.

Advisory:

Josef Gajdusek reported that mpv 0.27.0 was vulnerable to an attack through it's youtube-dl hook. This could cause remote code execution. This upstream update creates of list of sure protocols to use through the hook.

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
https://github.com/mpv-player/mpv/releases/tag/v0.27.1
José Jorge 2018-02-11 15:44:37 CET

Keywords: (none) => Security
Assignee: lists.jjorge => qa-bugs

Comment 3 José Jorge 2018-02-11 15:46:32 CET
Removing cauldron as version 0.27.1 was succesfully submitted.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 José Jorge 2018-02-11 16:05:32 CET
Oops, forgot RPMS list :

RPMS: 
mpv-0.27.1-1.mga6
lib{64}mpv1-0.27.1-1.mga6
libmpv-devel-0.27.1-1.mga6

SRPM:
mpv-0.27.1-1.mga6
Comment 5 David Walser 2018-02-11 17:13:01 CET
Thanks Jóse!  Nice job.

Status comment: Fixed upstream in 0.29 => (none)

Comment 6 Len Lawrence 2018-02-12 16:33:38 CET
Mageia 6 :: x86_64

All the mirrors seem to be slow to sync this last 24 hours so I just grabbed the updates from mageia.org.

mpv functions OK as a video player and can now access Youtube videos  via the youtube-dl hook.

Leaving this open in case anybody objects to the methodology.

CC: (none) => tarazed25

Len Lawrence 2018-02-12 23:53:52 CET

Whiteboard: (none) => MGA6-64-OK

Comment 7 José Jorge 2018-02-14 14:22:28 CET
Tested from mirrors in i586, downloads ok.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Len Lawrence 2018-02-15 08:15:47 CET

Whiteboard: MGA6-64-OK MGA6-32-OK => MGA6-64-OK MGA6-32-OK validated_update

David Walser 2018-02-15 12:04:18 CET

Whiteboard: MGA6-64-OK MGA6-32-OK validated_update => MGA6-64-OK MGA6-32-OK
Keywords: Security => validated_update
CC: (none) => sysadmin-bugs

Comment 8 José Jorge 2018-02-16 11:56:06 CET
Sysadmins, please be careful this is about pushing mpv-0.27.1-1.mga6 while there is already another bug MGA #22603
David Walser 2018-02-16 17:35:57 CET

Blocks: (none) => 22603

Comment 9 David Walser 2018-02-16 17:36:46 CET
1.mga6 has been replaced by 2.mga6, so this will need to be tested again.  You didn't really need to open another bug for it.
David Walser 2018-02-16 17:36:59 CET

Keywords: validated_update => (none)
Whiteboard: MGA6-64-OK MGA6-32-OK => (none)

Comment 10 José Jorge 2018-02-16 19:48:51 CET
Ok. So I have tested in 64 bit vaapi enabled hardware and the fix is good. I have also played a file in 32 bit system without vaapi and it works (without hw accel of course).

How to test?

1.'vainfo' will help to ensure you have vaapi hardware (any intel since 2011 with integrated graphics does). At least the line below should appear.

VAProfileH264High               : VAEntrypointVLD

2.play a 1080p file with mpv. You should get this in the command line :

Using hardware decoding (vaapi).
VO: [vaapi] 1920x1080 vaapi[nv12]

Before this fix, you get "software decoding".
Comment 11 José Jorge 2018-02-16 19:49:32 CET
(In reply to David Walser from comment #9)
> 1.mga6 has been replaced by 2.mga6, so this will need to be tested again. 
> You didn't really need to open another bug for it.

I saw the advisory was done, I thought it was too late. Cool if not.
Comment 12 David Walser 2018-02-16 20:00:07 CET
It doesn't look like the advisory has been committed to SVN yet, but even if it had been, they'd have just had to update it.
Comment 13 Len Lawrence 2018-02-16 21:08:39 CET
Mageia 6 :: x86_64
Had to use my Dell XPS13 for this because vainfo did not work on any of my other machines.

Installed vainfo.
$ vainfo
libva info: VA-API version 0.39.4
libva info: va_getDriverName() returns 0
libva info: Trying to open /usr/lib64/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_0_39
libva info: va_openDriver() returns 0
vainfo: VA-API version: 0.39 (libva 1.7.3)
vainfo: Driver version: Intel i965 driver for Intel(R) Kabylake - 1.7.3
vainfo: Supported profile and entrypoints
      VAProfileMPEG2Simple            :	VAEntrypointVLD
......................

Updated the mpv packages.
$ mpv Sonata.mp4
Auto-loading profile 'vo.vdpau'
'vo' auto profiles are deprecated.
Playing: Sonata.mp4
 (+) Video --vid=1 (*) (h264 1920x1080 23.974fps)
 (+) Audio --aid=1 --alang=und (*) (aac 2ch 44100Hz)
Failed to open VDPAU backend libvdpau_va_gl.so: cannot open shared object file: No such file or directory
[vo/vdpau] Error when calling vdp_device_create_x11: 1
libva info: VA-API version 0.39.4
libva info: va_getDriverName() returns 0
libva info: Trying to open /usr/lib64/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_0_39
libva info: va_openDriver() returns 0
Failed to open VDPAU backend libvdpau_va_gl.so: cannot open shared object file: No such file or directory
AO: [pulse] 44100Hz stereo 2ch float
Using hardware decoding (vaapi).
VO: [vaapi] 1920x1080 vaapi[nv12]

Giving this an OK for 64 bits.

Whiteboard: (none) => MGA6-64-OK

Comment 14 José Jorge 2018-02-17 12:11:25 CET
I am sorry about that, but upstream pushed another fix to allow youtube video subtitles which were broken with previous security fix.


So here is - I hope - final advisory.

Whiteboard: MGA6-64-OK => (none)

Comment 15 José Jorge 2018-02-17 12:13:33 CET
Advisory:

Josef Gajdusek reported that mpv 0.27.0 was vulnerable to an attack through it's youtube-dl hook. This could cause remote code execution. This upstream update creates of list of sure protocols to use through the hook.

References :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
https://github.com/mpv-player/mpv/releases/tag/v0.27.2

This update also fixes VAAPI accelerated decoding which is broken in upstream release.

RPMS :
mpv-0.27.2-1.mga6
lib{64}mpv1-0.27.2-1.mga6
libmpv-devel-0.27.2-1.mga6

SRPM:
mpv-0.27.2-1.mga6
Comment 16 Len Lawrence 2018-02-17 20:40:46 CET
Mageia6 :: x86_64

Updated the packages:
$ rpm -qa | grep mpv
mpv-0.27.2-1.mga6
lib64mpv1-0.27.2-1.mga6
lib64mpv-devel-0.27.2-1.mga6

Did not test VAAPI hardware - the earlier test shall have to do.

$ mpv https://www.youtube.com/watch?v=5ZlD8s4EUy0
Auto-loading profile 'vo.vdpau'
'vo' auto profiles are deprecated.
Playing: https://www.youtube.com/watch?v=5ZlD8s4EUy0
 (+) Video --vid=1 (*) (vp9 1920x1080 29.970fps)
 (+) Audio --aid=1 --alang=eng (*) 'DASH audio' (opus 2ch 48000Hz) (external)
AO: [pulse] 48000Hz stereo 2ch float
VO: [vdpau] 1920x1080 yuv420p
....................................

This looks good enough.
Len Lawrence 2018-02-17 20:41:04 CET

Whiteboard: (none) => MGA6-64-OK


Note You need to log in before you can comment on or make changes to this bug.