openSUSE has issued an advisory on May 24: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QVXB4F67QODLPKYBZX7SBXTE7ESGKGOD/ The issue is fixed upstream in 0.33.1. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 0.33.1
fixed in mga7/8 src: - mpv-0.29.1-8.1.mga7 - mpv-0.32.0-6.1.mga8
Status comment: Fixed upstream in 0.33.1 => (none)CC: (none) => mageiaVersion: Cauldron => 8Assignee: bugsquad => qa-bugsWhiteboard: MGA8TOO, MGA7TOO => MGA7TOO
RPMS: mpv-0.29.1-8.1.mga7 libmpv1-0.29.1-8.1.mga7 libmpv-devel-0.29.1-8.1.mga7 mpv-0.32.0-6.1.mga8 libmpv-devel-0.32.0-6.1.mga8 libmpv1-0.32.0-6.1.mga8
mga7, x64 CVE-2021-30145 Tried to find a playlist which would expose the vulnerability. Nothing doing. $ mpv http://10.0.0.1/evil.m3u Playing: http://10.0.0.1/evil.m3u [ffmpeg] tcp: Connection to tcp://10.0.0.1:80 failed: Connection timed out Updated the three packages and hauled in another 133. $ mpv https://www.youtube.com/watch?v=......... Playing: https://www.youtube.com/watch?v=........ (+) Video --vid=1 (*) (h264 1280x720 29.970fps) (+) Audio --aid=1 (*) 'tiny' (aac 2ch 44100Hz) (external) AO: [pulse] 44100Hz stereo 2ch s32 VO: [gpu] 1280x720 yuv420p AV: 00:00:33 / 00:11:22 (4%) A-V: 0.000 Dropped: 1 Cache: 47s+11MB [ffmpeg] NULL: Invalid NAL unit size (13631 > 1912). [ffmpeg] NULL: missing picture in access unit with size 1916 Exiting... (Quit) That worked well. Played some local music files with formats aif, wav, paf, snd, flac, ogg, mp3. Played video and sound in webm, mkv and mp4 formats. $ mpv youtube.m3u Played successive music videos.
CC: (none) => tarazed25
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
mga8, x64 Updated the mpv packages and ran mpv against a number of video and audio formats. No regressions noted. $ mpv TheCorries.m3u Playing: /home/lcl/Music/wav/corries/CamYeByAtholl.wav (+) Audio --aid=1 (pcm_s16le 2ch 44100Hz) AO: [pulse] 44100Hz stereo 2ch s16 A: 00:00:17 / 00:02:25 (12%) Works fine with playlist files.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== Updated mpv packages fix a security vulnerability: Fixed format string vulnerability allows user-assisted remote attackers to achieve code execution via a crafted m3u playlist file (CVE-2021-30145). References: - https://bugs.mageia.org/show_bug.cgi?id=29058 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30145 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QVXB4F67QODLPKYBZX7SBXTE7ESGKGOD/ ======================== Updated packages in 8/core/updates_testing: ======================== mpv-0.32.0-6.1.mga8 lib(64)mpv-devel-0.32.0-6.1.mga8 lib(64)mpv1-0.32.0-6.1.mga8 from SRPM: mpv-0.32.0-6.1.mga8 ======================== Updated packages in 7/core/updates_testing: ======================== mpv-0.29.1-8.1.mga7 lib(64)mpv1-0.29.1-8.1.mga7 lib(64)mpv-devel-0.29.1-8.1.mga7 from SRPM: mpv-0.29.1-8.1.mga7
CC: (none) => ouaurelienCVE: (none) => CVE-2021-30145Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0235.html
Status: NEW => RESOLVEDResolution: (none) => FIXED