Created attachment 190450 [details] Document CVE-2018-6360 "mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdl_hook.lua. For example, an av://lavfi:ladspa=file= URL signifies that the product should call dlopen on a shared object file located at an arbitrary local pathname. The issue exists because the product does not consider that youtube-dl can provide a potentially unsafe URL." * CVE-2018-6360 * Summary: https://nvd.nist.gov/vuln/detail/CVE-2018-6360 * Upstream issue: https://github.com/mpv-player/mpv/issues/5456
A commit references this bug: Author: cpm Date: Fri Feb 9 20:03:07 UTC 2018 New revision: 461331 URL: https://svnweb.freebsd.org/changeset/ports/461331 Log: Document vulnerability in Mpv PR: 225783 Submitted by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Obtained from: https://nvd.nist.gov/vuln/detail/CVE-2018-6360 Security: CVE-2018-6360 Changes: head/security/vuxml/vuln.xml
Committed! Thanks