Date: Fri, 09 Feb 2018 00:54:28 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 225783] security/vuxml: Document vulnerability in mpv (CVE-2018-6360) Message-ID: <bug-225783-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225783 Bug ID: 225783 Summary: security/vuxml: Document vulnerability in mpv (CVE-2018-6360) Product: Ports & Packages Version: Latest Hardware: Any URL: https://github.com/mpv-player/mpv/issues/5456 OS: Any Status: New Keywords: patch, security Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: vlad-fbsd@acheronmedia.com CC: cpm@freebsd.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) Assignee: ports-secteam@FreeBSD.org Created attachment 190450 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D190450&action= =3Dedit Document CVE-2018-6360 "mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist = in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=3Dfile=3D URL s= ignifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL." * CVE-2018-6360 * Summary: https://nvd.nist.gov/vuln/detail/CVE-2018-6360 * Upstream issue: https://github.com/mpv-player/mpv/issues/5456 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225783-13>