aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2021-06-01 13:26:28 -0600
committerAriadne Conill <ariadne@dereferenced.org>2021-06-01 13:26:28 -0600
commit0fcb259c12a96da3618244464798ab9aedf241c0 (patch)
treeaa0937509803537fd6399312e00432da7fcf6ef0
parentb3a7fe85b868b1cd8dd13dda5496c8d18ae41a48 (diff)
downloadaports-0fcb259c12a96da3618244464798ab9aedf241c0.tar.gz
aports-0fcb259c12a96da3618244464798ab9aedf241c0.tar.bz2
aports-0fcb259c12a96da3618244464798ab9aedf241c0.tar.xz
community/mpv: add mitigation for CVE-2021-30145
-rw-r--r--community/mpv/APKBUILD12
-rw-r--r--community/mpv/CVE-2021-30145.patch87
2 files changed, 96 insertions, 3 deletions
diff --git a/community/mpv/APKBUILD b/community/mpv/APKBUILD
index 1b6aa051f2..a2fe91b780 100644
--- a/community/mpv/APKBUILD
+++ b/community/mpv/APKBUILD
@@ -5,7 +5,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mpv
pkgver=0.33.0
-pkgrel=0
+pkgrel=1
pkgdesc="Video player based on MPlayer/mplayer2"
url="https://mpv.io/"
arch="all"
@@ -60,9 +60,12 @@ subpackages="
$pkgname-zsh-completion:zshcomp:noarch
"
options="net" # downloads a waf tarball
-source="mpv-$pkgver.tar.gz::https://github.com/mpv-player/mpv/archive/v$pkgver.tar.gz"
+source="mpv-$pkgver.tar.gz::https://github.com/mpv-player/mpv/archive/v$pkgver.tar.gz
+ CVE-2021-30145.patch"
# secfixes:
+# 0.33.0-r1:
+# - CVE-2021-30145
# 0.27.0-r3:
# - CVE-2018-6360
@@ -122,4 +125,7 @@ zshcomp() {
amove usr/share/zsh/site-functions
}
-sha512sums="5a4af74ba2c9656c6b61adcf944c734923c7b4527a49cd79ec63a0617911629438a138d887dfbd4b6c0c9c53e2c68c18839d98d9765179e52cc5675d0682e077 mpv-0.33.0.tar.gz"
+sha512sums="
+5a4af74ba2c9656c6b61adcf944c734923c7b4527a49cd79ec63a0617911629438a138d887dfbd4b6c0c9c53e2c68c18839d98d9765179e52cc5675d0682e077 mpv-0.33.0.tar.gz
+53033657588e8e13e8b1191440fcecc2f45dc3e41f4182d00243c8c012774e2f78bff17d2025467f7f516bda745cfdc6ead5d71e329743e17ae6c7cdddfcbc77 CVE-2021-30145.patch
+"
diff --git a/community/mpv/CVE-2021-30145.patch b/community/mpv/CVE-2021-30145.patch
new file mode 100644
index 0000000000..b02036042c
--- /dev/null
+++ b/community/mpv/CVE-2021-30145.patch
@@ -0,0 +1,87 @@
+From d0c530919d8cd4d7a774e38ab064e0fabdae34e6 Mon Sep 17 00:00:00 2001
+From: "Avi Halachmi (:avih)" <avihpit@yahoo.com>
+Date: Sun, 4 Apr 2021 14:11:15 +0300
+Subject: [PATCH] demux_mf: improve format string processing
+
+Before this commit, the user could specify a printf format string
+which wasn't verified, and could result in:
+- Undefined behavior due to missing or non-matching arguments.
+- Buffer overflow due to untested result length.
+
+The offending code was added at commit 103a9609 (2002, mplayer svn):
+git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@4566 b3059339-0415-0410-9bf9-f77b7e298cf2
+
+It moved around but was not modified meaningfully until now.
+
+Now we reject all conversion specifiers at the format except %%
+and a simple subset of the valid specifiers. Also, we now use
+snprintf to avoid buffer overflow.
+
+The format string is provided by the user as part of mf:// URI.
+
+Report and initial patch by Stefan Schiller.
+Patch reviewed by @jeeb, @sfan5, Stefan Schiller.
+---
+ demux/demux_mf.c | 39 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/demux/demux_mf.c b/demux/demux_mf.c
+index 424821b965f..40f94f4e4ed 100644
+--- a/demux/demux_mf.c
++++ b/demux/demux_mf.c
+@@ -121,7 +121,8 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename
+ goto exit_mf;
+ }
+
+- char *fname = talloc_size(mf, strlen(filename) + 32);
++ size_t fname_avail = strlen(filename) + 32;
++ char *fname = talloc_size(mf, fname_avail);
+
+ #if HAVE_GLOB
+ if (!strchr(filename, '%')) {
+@@ -148,10 +149,44 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename
+ }
+ #endif
+
++ // We're using arbitrary user input as printf format with 1 int argument.
++ // Any format which uses exactly 1 int argument would be valid, but for
++ // simplicity we reject all conversion specifiers except %% and simple
++ // integer specifier: %[.][NUM]d where NUM is 1-3 digits (%.d is valid)
++ const char *f = filename;
++ int MAXDIGS = 3, nspec = 0, bad_spec = 0, c;
++
++ while (nspec < 2 && (c = *f++)) {
++ if (c != '%')
++ continue;
++ if (*f != '%') {
++ nspec++; // conversion specifier which isn't %%
++ if (*f == '.')
++ f++;
++ for (int ndig = 0; mp_isdigit(*f) && ndig < MAXDIGS; ndig++, f++)
++ /* no-op */;
++ if (*f != 'd') {
++ bad_spec++; // not int, or beyond our validation capacity
++ break;
++ }
++ }
++ // *f is '%' or 'd'
++ f++;
++ }
++
++ // nspec==0 (zero specifiers) is rejected because fname wouldn't advance.
++ if (bad_spec || nspec != 1) {
++ mp_err(log, "unsupported expr format: '%s'\n", filename);
++ goto exit_mf;
++ }
++
+ mp_info(log, "search expr: %s\n", filename);
+
+ while (error_count < 5) {
+- sprintf(fname, filename, count++);
++ if (snprintf(fname, fname_avail, filename, count++) >= fname_avail) {
++ mp_err(log, "format result too long: '%s'\n", filename);
++ goto exit_mf;
++ }
+ if (!mp_path_exists(fname)) {
+ error_count++;
+ mp_verbose(log, "file not found: '%s'\n", fname);