Bug#982249: New upstream version 0.33.0 - Please package
Package: mpv
Followup-For: Bug #982249
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hey!
Here is a patch to update to 0.33.1. If you prefer to pull directly
from Salsa, the branches are available on my fork:
https://salsa.debian.org/bernat/mpv
- -- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental-debug'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.13.0-trunk-amd64 (SMP w/12 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mpv depends on:
ii libarchive13 3.4.3-2+b1
ii libasound2 1.2.5.1-1
ii libass9 1:0.15.1-2
ii libavcodec58 7:4.4-5
ii libavdevice58 7:4.4-5
ii libavfilter7 7:4.4-5
ii libavformat58 7:4.4-5
ii libavutil56 7:4.4-5
ii libbluray2 1:1.3.0-3
ii libc6 2.31-17
ii libcaca0 0.99.beta19-2.2
ii libcdio-cdda2 10.2+2.0.0-1+b2
ii libcdio-paranoia2 10.2+2.0.0-1+b2
ii libcdio19 2.1.0-2
ii libdrm2 2.4.107-2
ii libdvdnav4 6.1.1-1
ii libegl1 1.3.2-1
ii libgbm1 21.2.1-1
ii libjack-jackd2-0 [libjack-0.125] 1.9.17~dfsg-1
ii libjpeg62-turbo 1:2.0.6-4
ii liblcms2-2 2.12~rc1-2
ii liblua5.2-0 5.2.4-1.1+b3
ii libpulse0 15.0+dfsg1-2
ii librubberband2 1.9.0-1
ii libsdl2-2.0-0 2.0.14+dfsg2-3
ii libswresample3 7:4.4-5
ii libswscale5 7:4.4-5
ii libuchardet0 0.0.7-1
ii libva-drm2 2.12.0-2
ii libva-wayland2 2.12.0-2
ii libva-x11-2 2.12.0-2
ii libva2 2.12.0-2
ii libvdpau1 1.4-3
ii libwayland-client0 1.19.0-2
ii libwayland-cursor0 1.19.0-2
ii libwayland-egl1 1.19.0-2
ii libx11-6 2:1.7.2-1
ii libxext6 2:1.3.3-1.1
ii libxinerama1 2:1.1.4-2
ii libxkbcommon0 1.0.3-2
ii libxrandr2 2:1.5.1-1
ii libxss1 1:1.2.3-1
ii libxv1 2:1.0.11-1
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages mpv recommends:
ii xdg-utils 1.1.3-4.1
ii youtube-dl 2021.06.06-1
mpv suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmEl9TUSHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5KEMQAJtafIg14KBpg95jlrsgsIQxym5SHT9+
6n8hqgFFuzwZLRjfEli4I8Xhjjn64KQ0pby2kGsXYsZcO1BEwfjiwb+TQzxTKmA2
4lUWiyVwBUhaog61/GAVEkrnuOjk1y13+jFTF4zl4TeU0ZgtGZ6jlBNOqVPFCdSf
JI9PtwBAkkmBKU5uHihfKvLeAhtKKzOMY/6jPIXP5+LNWUV3s65Bzit98shynE2w
zIxEQNvNHG3DSwhzwwb/VKgvNXCWHO21CFaPPK7bEbLbGj5TevL9Cw1hCRPP5gIF
kWPGuUAXEZfbT1sJbGt47kx1aB5acPYPOOhPtJvVGgFEwk0YD+p7gjsdEqVgvRw+
YwBqOnIMFIIDJ/bQ/cKvHOLFOLa+QK/YAyaIw7FA3bG7KN8XcEJGUT+i1I2FnuK1
B1RHBTvP3QhZq4Zo087+v6Bb/Ft7i+72bS/ZwEvZZqs+vpkBwedAqhwG90VySJdL
NwVLieqqGwYOKiTFrtO3xi+8cd6D9EySftfsJVXd1RbdRP062Ks9M6XRJVlNMjpV
peLgN/bAT4E3IvpPPYIlxhkL2ucsotXyV7OgUAFiw+VaMkkToH5BUOuyEd8ZRH6i
pPj9YghGtOHYESTApcdtHWrvwuQMEzjpA8nsOR5HT99CHfJjROEgxfl4llqSf9d5
mRmCmSBCOEO8
=ay07
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index b896541ff7f3..0abbbc810204 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+mpv (0.33.1-1) unstable; urgency=medium
+
+ * New upstream release. Closes: #982249.
+ * d/patches: remove fix for CVE-2021-30145, applied upstream.
+ * d/patches: remove ffmpeg ABI fix, applied upstream.
+ * d/patches: remove Lua security fix, applied upstream.
+ * d/rules: don't build with SMB client support (removed upstream).
+ * d/rules: don't build with sndio support (removed upstream).
+ * d/symbols: update.
+
+ -- Vincent Bernat <bernat@debian.org> Wed, 25 Aug 2021 09:20:59 +0200
+
mpv (0.32.0-3) unstable; urgency=medium
* debian/patches: Apply upstream fix for CVE-2021-30145 (Closes: #986839)
diff --git a/debian/control b/debian/control
index a36186f0fcb2..7724677d81c1 100644
--- a/debian/control
+++ b/debian/control
@@ -31,8 +31,6 @@ Build-Depends:
libpulse-dev,
librubberband-dev,
libsdl2-dev,
- libsmbclient-dev,
- libsndio-dev (>= 1.0.1),
libswscale-dev (>= 7:4.0),
libuchardet-dev,
libva-dev,
diff --git a/debian/copyright b/debian/copyright
index df8b0152d1e1..bcce6925433f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,21 +1,11 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: mpv
Source: https://github.com/mpv-player/mpv/releases
-Comment:
- While the mpv source code is distributed mostly under the GPL-2+ or LGPL-2.1+
- licenses, the binaries are distributed under the GPL-3+ license because they
- are linked to the GPL-3+ libsmbclient library.
Files: *
Copyright: 2000-2020, mpv/MPlayer/mplayer2 projects
License: LGPL-2.1+
-Files: audio/out/ao_sndio.c
-Copyright:
- 2008, Alexandre Ratchov <alex@caoua.org>
- 2013, Christian Neukirchen <chneukirchen@gmail.com>
-License: ISC
-
Files: debian/*
Copyright:
2013 Alessandro Ghedini <ghedo@debian.org>
@@ -58,7 +48,6 @@ Files:
stream/stream_cdda.c
stream/stream_dvb.c
stream/stream_dvdnav.c
- stream/stream_smb.c
video/out/vo_caca.c
video/out/vo_direct3d.c
video/out/vo_vaapi.c
diff --git a/debian/libmpv1.symbols b/debian/libmpv1.symbols
index c517c57b9fe6..fffa129ac311 100644
--- a/debian/libmpv1.symbols
+++ b/debian/libmpv1.symbols
@@ -2,6 +2,7 @@ libmpv.so.1 libmpv1 #MINVER#
* Build-Depends-Package: libmpv-dev
mpv_abort_async_command@Base 0.30.0
mpv_client_api_version@Base 0.4.0
+ mpv_client_id@Base 0.33.1-1
mpv_client_name@Base 0.4.0
mpv_command@Base 0.4.0
mpv_command_async@Base 0.4.0
@@ -16,6 +17,7 @@ libmpv.so.1 libmpv1 #MINVER#
mpv_detach_destroy@Base 0.4.0
mpv_error_string@Base 0.4.0
mpv_event_name@Base 0.4.0
+ mpv_event_to_node@Base 0.33.1-1
mpv_free@Base 0.4.0
mpv_free_node_contents@Base 0.4.0
mpv_get_property@Base 0.4.0
diff --git a/debian/patches/0006-demux_mf-improve-format-string-processing.patch b/debian/patches/0006-demux_mf-improve-format-string-processing.patch
deleted file mode 100644
index 420b3bfa487e..000000000000
--- a/debian/patches/0006-demux_mf-improve-format-string-processing.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: "Avi Halachmi (:avih)" <avihpit@yahoo.com>
-Date: Sun, 25 Apr 2021 19:46:36 +0300
-Subject: demux_mf: improve format string processing
-
-Before this commit, the user could specify a printf format string
-which wasn't verified, and could result in:
-- Undefined behavior due to missing or non-matching arguments.
-- Buffer overflow due to untested result length.
-
-The offending code was added at commit 103a9609 (2002, mplayer svn):
-git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@4566 b3059339-0415-0410-9bf9-f77b7e298cf2
-
-It moved around but was not modified meaningfully until now.
-
-Now we reject all conversion specifiers at the format except %%
-and a simple subset of the valid specifiers. Also, we now use
-snprintf to avoid buffer overflow.
-
-The format string is provided by the user as part of mf:// URI.
-
-Report and initial patch by Stefan Schiller.
-Patch reviewed by @jeeb, @sfan5, Stefan Schiller.
-
-(cherry picked from commit cb3fa04bcb2ba9e0d25788480359157208c13e0b)
----
- demux/demux_mf.c | 39 +++++++++++++++++++++++++++++++++++++--
- 1 file changed, 37 insertions(+), 2 deletions(-)
-
-diff --git a/demux/demux_mf.c b/demux/demux_mf.c
-index ef5a513..7148862 100644
---- a/demux/demux_mf.c
-+++ b/demux/demux_mf.c
-@@ -121,7 +121,8 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename
- goto exit_mf;
- }
-
-- char *fname = talloc_size(mf, strlen(filename) + 32);
-+ size_t fname_avail = strlen(filename) + 32;
-+ char *fname = talloc_size(mf, fname_avail);
-
- #if HAVE_GLOB
- if (!strchr(filename, '%')) {
-@@ -148,10 +149,44 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename
- }
- #endif
-
-+ // We're using arbitrary user input as printf format with 1 int argument.
-+ // Any format which uses exactly 1 int argument would be valid, but for
-+ // simplicity we reject all conversion specifiers except %% and simple
-+ // integer specifier: %[.][NUM]d where NUM is 1-3 digits (%.d is valid)
-+ const char *f = filename;
-+ int MAXDIGS = 3, nspec = 0, bad_spec = 0, c;
-+
-+ while (nspec < 2 && (c = *f++)) {
-+ if (c != '%')
-+ continue;
-+ if (*f != '%') {
-+ nspec++; // conversion specifier which isn't %%
-+ if (*f == '.')
-+ f++;
-+ for (int ndig = 0; mp_isdigit(*f) && ndig < MAXDIGS; ndig++, f++)
-+ /* no-op */;
-+ if (*f != 'd') {
-+ bad_spec++; // not int, or beyond our validation capacity
-+ break;
-+ }
-+ }
-+ // *f is '%' or 'd'
-+ f++;
-+ }
-+
-+ // nspec==0 (zero specifiers) is rejected because fname wouldn't advance.
-+ if (bad_spec || nspec != 1) {
-+ mp_err(log, "unsupported expr format: '%s'\n", filename);
-+ goto exit_mf;
-+ }
-+
- mp_info(log, "search expr: %s\n", filename);
-
- while (error_count < 5) {
-- sprintf(fname, filename, count++);
-+ if (snprintf(fname, fname_avail, filename, count++) >= fname_avail) {
-+ mp_err(log, "format result too long: '%s'\n", filename);
-+ goto exit_mf;
-+ }
- if (!mp_path_exists(fname)) {
- error_count++;
- mp_verbose(log, "file not found: '%s'\n", fname);
diff --git a/debian/patches/05_add-keywords.patch b/debian/patches/05_add-keywords.patch
index 91b0883943db..492721356925 100644
--- a/debian/patches/05_add-keywords.patch
+++ b/debian/patches/05_add-keywords.patch
@@ -6,5 +6,5 @@ Author: Mateusz Łukasik <mati75@linuxmint.pl>
@@ -34,3 +34,4 @@ Terminal=false
Categories=AudioVideo;Audio;Video;Player;TV;
MimeType=application/ogg;application/x-ogg;application/mxf;application/sdp;application/smil;application/x-smil;application/streamingmedia;application/x-streamingmedia;application/vnd.rn-realmedia;application/vnd.rn-realmedia-vbr;audio/aac;audio/x-aac;audio/vnd.dolby.heaac.1;audio/vnd.dolby.heaac.2;audio/aiff;audio/x-aiff;audio/m4a;audio/x-m4a;application/x-extension-m4a;audio/mp1;audio/x-mp1;audio/mp2;audio/x-mp2;audio/mp3;audio/x-mp3;audio/mpeg;audio/mpeg2;audio/mpeg3;audio/mpegurl;audio/x-mpegurl;audio/mpg;audio/x-mpg;audio/rn-mpeg;audio/musepack;audio/x-musepack;audio/ogg;audio/scpls;audio/x-scpls;audio/vnd.rn-realaudio;audio/wav;audio/x-pn-wav;audio/x-pn-windows-pcm;audio/x-realaudio;audio/x-pn-realaudio;audio/x-ms-wma;audio/x-pls;audio/x-wav;video/mpeg;video/x-mpeg2;video/x-mpeg3;video/mp4v-es;video/x-m4v;video/mp4;application/x-extension-mp4;video/divx;video/vnd.divx;video/msvideo;video/x-msvideo;video/ogg;video/quicktime;video/vnd.rn-realvideo;video/x-ms-afs;video/x-ms-asf;audio/x-ms-asf;application/vnd.ms-asf;video/x-ms-wmv;video/x-ms-wmx;video/x-ms-wvxvideo;video/x-avi;video/avi;video/x-flic;video/fli;video/x-flc;video/flv;video/x-flv;video/x-theora;video/x-theora+ogg;video/x-matroska;video/mkv;audio/x-matroska;application/x-matroska;video/webm;audio/webm;audio/vorbis;audio/x-vorbis;audio/x-vorbis+ogg;video/x-ogm;video/x-ogm+ogg;application/x-ogm;application/x-ogm-audio;application/x-ogm-video;application/x-shorten;audio/x-shorten;audio/x-ape;audio/x-wavpack;audio/x-tta;audio/AMR;audio/ac3;audio/eac3;audio/amr-wb;video/mp2t;audio/flac;audio/mp4;application/x-mpegurl;video/vnd.mpegurl;application/vnd.apple.mpegurl;audio/x-pn-au;video/3gp;video/3gpp;video/3gpp2;audio/3gpp;audio/3gpp2;video/dv;audio/dv;audio/opus;audio/vnd.dts;audio/vnd.dts.hd;audio/x-adpcm;application/x-cue;audio/m3u;
- X-KDE-Protocols=ftp,http,https,mms,rtmp,rtsp,sftp,smb
+ X-KDE-Protocols=ftp,http,https,mms,rtmp,rtsp,sftp,smb,srt
+Keywords=mpv;media;player;video;audio;tv;
diff --git a/debian/patches/06_ffmpeg-abi.patch b/debian/patches/06_ffmpeg-abi.patch
deleted file mode 100644
index 8ebac649257d..000000000000
--- a/debian/patches/06_ffmpeg-abi.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Description: Suppress ffmpeg version mismatch error
- Requiring an exact ffmpeg version is usually not a good idea in a binary
- distribution because:
- - All FFmpeg security updates require a subsequent binNMU of mpv.
- - Debian generated dependencies do not capture this dependency well (at least
- without extra hacking).
- - The requirement itself usually indicates an ABI violation.
- For these reasons, remove the check and assume the current FFmpeg version is
- compatible.
-Author: James Cowgill <jcowgill@debian.org>
-Bug-Debian: https://bugs.debian.org/831537
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
---- a/player/main.c
-+++ b/player/main.c
-@@ -387,18 +387,6 @@ int mp_initialize(struct MPContext *mpct
- if (handle_help_options(mpctx))
- return 1; // help
-
-- if (!print_libav_versions(mp_null_log, 0)) {
-- // This happens only if the runtime FFmpeg version is lower than the
-- // build version, which will not work according to FFmpeg's ABI rules.
-- // This does not happen if runtime FFmpeg is newer, which is compatible.
-- print_libav_versions(mpctx->log, MSGL_FATAL);
-- MP_FATAL(mpctx, "\nmpv was compiled against an incompatible version of "
-- "FFmpeg/Libav than the shared\nlibrary it is linked against. "
-- "This is most likely a broken build and could\nresult in "
-- "misbehavior and crashes.\n\nThis is a broken build.\n");
-- return -1;
-- }
--
- #if HAVE_TESTS
- if (opts->test_mode && opts->test_mode[0])
- return run_tests(mpctx) ? 1 : -1;
diff --git a/debian/patches/07_io-stdin-used.patch b/debian/patches/07_io-stdin-used.patch
index dccf57bb878d..93139a4a61df 100644
--- a/debian/patches/07_io-stdin-used.patch
+++ b/debian/patches/07_io-stdin-used.patch
@@ -13,4 +13,4 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+_IO_stdin_used
mpv_abort_async_command
mpv_client_api_version
- mpv_client_name
+ mpv_client_id
diff --git a/debian/patches/08_lua_security.patch b/debian/patches/08_lua_security.patch
deleted file mode 100644
index e54b299a4bef..000000000000
--- a/debian/patches/08_lua_security.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 937749b545407aa68b1d15ea5e19a6c23d62da42 Mon Sep 17 00:00:00 2001
-From: astian <astian@e-nautia.com>
-Date: Mon, 11 Feb 2020 21:08:51 +0000
-Subject: [PATCH] lua: fix unintended code execution vulnerability
-
-Backport of upstream commit cce7062a8a6b6a3b3666aea3ff86db879cba67b6
-("lua: fix highly security relevant arbitrary code execution") to
-release 0.32.0.
-
-Note: Before release 0.32.0, it used to be that mpv-related scripts
-directories where added to Lua's module-loaders search path. This
-behaviour was dropped in 0.32.0 (bc1c024ae032). Later, a similar but
-stricter behaviour was introduced (see da38caff9c0b and b86bfc907f9c).
-The original commit on which this patch is based depended on the new
-behaviour. This backport retains the 0.32.0 behaviour; all it does is
-filter out relative paths from "package.path" and "package.cpath" for
-all Lua scripts.
----
- player/lua.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
-
---- a/player/lua.c
-+++ b/player/lua.c
-@@ -273,6 +273,36 @@
- return 0;
- }
-
-+static void fuck_lua(lua_State *L, const char *search_path)
-+{
-+ void *tmp = talloc_new(NULL);
-+
-+ lua_getglobal(L, "package"); // package
-+ lua_getfield(L, -1, search_path); // package search_path
-+ bstr path = bstr0(lua_tostring(L, -1));
-+ char *newpath = talloc_strdup(tmp, "");
-+
-+ // Unbelievable but true: Lua loads .lua files AND dynamic libraries from
-+ // the working directory. This is highly security relevant.
-+ // Lua scripts are still supposed to load globally installed libraries, so
-+ // try to get by by filtering out any relative paths.
-+ while (path.len) {
-+ bstr item;
-+ bstr_split_tok(path, ";", &item, &path);
-+ if (bstr_startswith0(item, "/")) {
-+ newpath = talloc_asprintf_append(newpath, "%s%.*s",
-+ newpath[0] ? ";" : "",
-+ BSTR_P(item));
-+ }
-+ }
-+
-+ lua_pushstring(L, newpath); // package search_path newpath
-+ lua_setfield(L, -3, search_path); // package search_path
-+ lua_pop(L, 2); // -
-+
-+ talloc_free(tmp);
-+}
-+
- static int run_lua(lua_State *L)
- {
- struct script_ctx *ctx = lua_touserdata(L, -1);
-@@ -326,6 +356,10 @@
-
- assert(lua_gettop(L) == 0);
-
-+ fuck_lua(L, "path");
-+ fuck_lua(L, "cpath");
-+ assert(lua_gettop(L) == 0);
-+
- // run this under an error handler that can do backtraces
- lua_pushcfunction(L, error_handler); // errf
- lua_pushcfunction(L, load_scripts); // errf fn
diff --git a/debian/patches/series b/debian/patches/series
index 6494d1756a34..793042262c25 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,3 @@
03_waf.patch
05_add-keywords.patch
-06_ffmpeg-abi.patch
07_io-stdin-used.patch
-08_lua_security.patch
-0006-demux_mf-improve-format-string-processing.patch
diff --git a/debian/rules b/debian/rules
index 49d8fcdcb45b..2ff361e7104a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,9 +20,7 @@ override_dh_auto_configure:
--enable-cdda \
--enable-dvdnav \
--enable-libmpv-shared \
- --enable-libsmbclient \
--enable-sdl2 \
- --enable-sndio \
--disable-build-date \
$(ARCH_CONFIGURE)
Reply to: