multimedia/mpv CVE-2018-6360

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

multimedia/mpv CVE-2018-6360

Ingo Feinerer-2
Hi,

multimedia/mpv is currently at 0.22.0 (from 2016) and seems to be
affected by CVE-2018-6360
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360).

I tried to update to 0.29.1 but configure stops because FFmpeg 4.0 or
newer is needed (we only have 2.8.15).

Is there a specific reason why FFmpeg is kept on the 2.8 branch?

Or should we try to backport the patch to the ancient 0.22.0 version?

Best regards,
Ingo

Reply | Threaded
Open this post in threaded view
|

Re: multimedia/mpv CVE-2018-6360

Klemens Nanni-2
On Sun, Oct 28, 2018 at 06:35:23PM +0100, Ingo Feinerer wrote:
> Is there a specific reason why FFmpeg is kept on the 2.8 branch?
It's a non-trivial port and the configure script would run into endless
loops during both of my update attempts.  

mpv is of similar nature - I pretty much stopped working on them
because it was too frustrating.

Reply | Threaded
Open this post in threaded view
|

Re: multimedia/mpv CVE-2018-6360

Olivier Taïbi
The loops are caused by the unique() function in configure, which spawns
many instances of ksh (it seems that bash handles 'eval' differently).
Its purpose is to turn a list of words into a list of unique words. I
propose the following perl script instead (beware, it's my first perl
script) called unique.pl:

#!/usr/bin/env perl

my %words_dict;

while (!eof(STDIN)){
    my $line = readline(STDIN) or die("readline failed");
    $line =~ s/\n//g;
    my @line_words = split(/ /, $line);
    foreach my $word (@line_words){
        $words_dict{$word} = 0;
    }
}

my @words_list = keys %words_dict;
print join(" ", @words_list), "\n";

Here is the diff for the configure script:

--- configure.orig Wed Jul 18 15:51:59 2018
+++ configure Mon Oct 29 23:15:01 2018
@@ -838,10 +838,10 @@
 
 unique(){
     var=$1
-    uniq_list=""
-    for tok in $(eval echo \$$var); do
-        uniq_list="$(filter_out $tok $uniq_list) $tok"
-    done
+    uniq_list=$(echo \$$var | ./unique.py)
     eval "$var=\"${uniq_list}\""
 }
 
With the following configure options, it builds on my amd64 machine, and
ffplay seems to work normally:
./configure --enable-shared --arch=amd64 --cc=cc \
                --disable-altivec \
                --disable-debug \
                --disable-iconv \
                --disable-indev=jack \
                --disable-indev=oss \
                --disable-lzma \
                --disable-mips32r5 \
                --disable-mips64r6 \
                --disable-mipsdspr2 \
                --disable-mipsfpu \
                --disable-mmi \
                --disable-msa \
                --disable-outdev=oss \
                --enable-fontconfig \
                --enable-gpl \
                --enable-libass \
                --enable-libfreetype \
                --enable-libfribidi \
                --enable-libgsm \
                --enable-libmp3lame \
                --enable-libopus \
                --enable-libspeex \
                --enable-libv4l2 \
                --enable-libvorbis \
                --enable-libvpx \
                --enable-libx264 \
                --enable-libx265 \
                --enable-libxvid \
                --enable-nonfree \
                --enable-openssl \
                --extra-cflags="-I/usr/local/include -I/usr/X11R7/include" \
                --extra-libs="-L/usr/local/lib -L/usr/X11R6/lib" \
                --mandir=/usr/share/man \
                --optflags="-Wno-redundant-decls"

I tried to modify the existing port (see attached file) but I'm very new
to OpenBSD and I haven't been able to include unique.pl yet, so at the
moment you would have to copy it in pobj after extraction and patching.
I did not try very hard: I simply modified the previous port, removing
patches first. Changes:
- versions for libs
- libavresample is now deprecated, use libswresample instead
- mipsdspr1 became mipsdsp
- I removed the --disable-outdev=sdl option because I do not understand
  why it is here.

I haven't tried to build mpv yet so I don't know if it's the same problem.

ffmpeg.tar.gz (3K) Download Attachment