diff options
| author | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-01 13:26:28 -0600 |
|---|---|---|
| committer | Ariadne Conill <ariadne@dereferenced.org> | 2021-06-01 13:26:28 -0600 |
| commit | 0fcb259c12a96da3618244464798ab9aedf241c0 (patch) | |
| tree | aa0937509803537fd6399312e00432da7fcf6ef0 | |
| parent | b3a7fe85b868b1cd8dd13dda5496c8d18ae41a48 (diff) | |
community/mpv: add mitigation for CVE-2021-30145
| -rw-r--r-- | community/mpv/APKBUILD | 12 | ||||
| -rw-r--r-- | community/mpv/CVE-2021-30145.patch | 87 |
2 files changed, 96 insertions, 3 deletions
diff --git a/community/mpv/APKBUILD b/community/mpv/APKBUILD index 1b6aa051f20..a2fe91b7808 100644 --- a/community/mpv/APKBUILD +++ b/community/mpv/APKBUILD @@ -5,7 +5,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mpv pkgver=0.33.0 -pkgrel=0 +pkgrel=1 pkgdesc="Video player based on MPlayer/mplayer2" url="https://mpv.io/" arch="all" @@ -60,9 +60,12 @@ subpackages=" $pkgname-zsh-completion:zshcomp:noarch " options="net" # downloads a waf tarball -source="mpv-$pkgver.tar.gz::https://github.com/mpv-player/mpv/archive/v$pkgver.tar.gz" +source="mpv-$pkgver.tar.gz::https://github.com/mpv-player/mpv/archive/v$pkgver.tar.gz + CVE-2021-30145.patch" # secfixes: +# 0.33.0-r1: +# - CVE-2021-30145 # 0.27.0-r3: # - CVE-2018-6360 @@ -122,4 +125,7 @@ zshcomp() { amove usr/share/zsh/site-functions } -sha512sums="5a4af74ba2c9656c6b61adcf944c734923c7b4527a49cd79ec63a0617911629438a138d887dfbd4b6c0c9c53e2c68c18839d98d9765179e52cc5675d0682e077 mpv-0.33.0.tar.gz" +sha512sums=" +5a4af74ba2c9656c6b61adcf944c734923c7b4527a49cd79ec63a0617911629438a138d887dfbd4b6c0c9c53e2c68c18839d98d9765179e52cc5675d0682e077 mpv-0.33.0.tar.gz +53033657588e8e13e8b1191440fcecc2f45dc3e41f4182d00243c8c012774e2f78bff17d2025467f7f516bda745cfdc6ead5d71e329743e17ae6c7cdddfcbc77 CVE-2021-30145.patch +" diff --git a/community/mpv/CVE-2021-30145.patch b/community/mpv/CVE-2021-30145.patch new file mode 100644 index 00000000000..b02036042ca --- /dev/null +++ b/community/mpv/CVE-2021-30145.patch @@ -0,0 +1,87 @@ +From d0c530919d8cd4d7a774e38ab064e0fabdae34e6 Mon Sep 17 00:00:00 2001 +From: "Avi Halachmi (:avih)" <avihpit@yahoo.com> +Date: Sun, 4 Apr 2021 14:11:15 +0300 +Subject: [PATCH] demux_mf: improve format string processing + +Before this commit, the user could specify a printf format string +which wasn't verified, and could result in: +- Undefined behavior due to missing or non-matching arguments. +- Buffer overflow due to untested result length. + +The offending code was added at commit 103a9609 (2002, mplayer svn): +git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@4566 b3059339-0415-0410-9bf9-f77b7e298cf2 + +It moved around but was not modified meaningfully until now. + +Now we reject all conversion specifiers at the format except %% +and a simple subset of the valid specifiers. Also, we now use +snprintf to avoid buffer overflow. + +The format string is provided by the user as part of mf:// URI. + +Report and initial patch by Stefan Schiller. +Patch reviewed by @jeeb, @sfan5, Stefan Schiller. +--- + demux/demux_mf.c | 39 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 2 deletions(-) + +diff --git a/demux/demux_mf.c b/demux/demux_mf.c +index 424821b965f..40f94f4e4ed 100644 +--- a/demux/demux_mf.c ++++ b/demux/demux_mf.c +@@ -121,7 +121,8 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename + goto exit_mf; + } + +- char *fname = talloc_size(mf, strlen(filename) + 32); ++ size_t fname_avail = strlen(filename) + 32; ++ char *fname = talloc_size(mf, fname_avail); + + #if HAVE_GLOB + if (!strchr(filename, '%')) { +@@ -148,10 +149,44 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename + } + #endif + ++ // We're using arbitrary user input as printf format with 1 int argument. ++ // Any format which uses exactly 1 int argument would be valid, but for ++ // simplicity we reject all conversion specifiers except %% and simple ++ // integer specifier: %[.][NUM]d where NUM is 1-3 digits (%.d is valid) ++ const char *f = filename; ++ int MAXDIGS = 3, nspec = 0, bad_spec = 0, c; ++ ++ while (nspec < 2 && (c = *f++)) { ++ if (c != '%') ++ continue; ++ if (*f != '%') { ++ nspec++; // conversion specifier which isn't %% ++ if (*f == '.') ++ f++; ++ for (int ndig = 0; mp_isdigit(*f) && ndig < MAXDIGS; ndig++, f++) ++ /* no-op */; ++ if (*f != 'd') { ++ bad_spec++; // not int, or beyond our validation capacity ++ break; ++ } ++ } ++ // *f is '%' or 'd' ++ f++; ++ } ++ ++ // nspec==0 (zero specifiers) is rejected because fname wouldn't advance. ++ if (bad_spec || nspec != 1) { ++ mp_err(log, "unsupported expr format: '%s'\n", filename); ++ goto exit_mf; ++ } ++ + mp_info(log, "search expr: %s\n", filename); + + while (error_count < 5) { +- sprintf(fname, filename, count++); ++ if (snprintf(fname, fname_avail, filename, count++) >= fname_avail) { ++ mp_err(log, "format result too long: '%s'\n", filename); ++ goto exit_mf; ++ } + if (!mp_path_exists(fname)) { + error_count++; + mp_verbose(log, "file not found: '%s'\n", fname); |